From owner-svn-src-head@freebsd.org Thu Apr 20 09:05:54 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CF0ED47043; Thu, 20 Apr 2017 09:05:54 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 535F1B5C; Thu, 20 Apr 2017 09:05:54 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3K95rKP097208; Thu, 20 Apr 2017 09:05:53 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3K95rRT097206; Thu, 20 Apr 2017 09:05:53 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201704200905.v3K95rRT097206@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Thu, 20 Apr 2017 09:05:53 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r317186 - in head/sys: netinet6 netpfil/pf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 09:05:54 -0000 Author: kp Date: Thu Apr 20 09:05:53 2017 New Revision: 317186 URL: https://svnweb.freebsd.org/changeset/base/317186 Log: pf: Fix possible incorrect IPv6 fragmentation When forwarding pf tracks the size of the largest fragment in a fragmented packet, and refragments based on this size. It failed to ensure that this size was a multiple of 8 (as is required for all but the last fragment), so it could end up generating incorrect fragments. For example, if we received an 8 byte and 12 byte fragment pf would emit a first fragment with 12 bytes of payload and the final fragment would claim to be at offset 8 (not 12). We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so other users won't make the same mistake. Reported by: Antonios Atlasis MFC after: 3 days Modified: head/sys/netinet6/ip6_output.c head/sys/netpfil/pf/pf_norm.c Modified: head/sys/netinet6/ip6_output.c ============================================================================== --- head/sys/netinet6/ip6_output.c Thu Apr 20 09:01:31 2017 (r317185) +++ head/sys/netinet6/ip6_output.c Thu Apr 20 09:05:53 2017 (r317186) @@ -226,6 +226,8 @@ ip6_fragment(struct ifnet *ifp, struct m int error; int tlen = m0->m_pkthdr.len; + KASSERT(( mtu % 8 == 0), ("Fragment length must be a multiple of 8")); + m = m0; ip6 = mtod(m, struct ip6_hdr *); mnext = &m->m_nextpkt; Modified: head/sys/netpfil/pf/pf_norm.c ============================================================================== --- head/sys/netpfil/pf/pf_norm.c Thu Apr 20 09:01:31 2017 (r317185) +++ head/sys/netpfil/pf/pf_norm.c Thu Apr 20 09:05:53 2017 (r317186) @@ -762,6 +762,10 @@ pf_refragment6(struct ifnet *ifp, struct hdr->ip6_nxt = IPPROTO_FRAGMENT; } + /* The MTU must be a multiple of 8 bytes, or we risk doing the + * fragmentation wrong. */ + maxlen = maxlen & ~7; + /* * Maxlen may be less than 8 if there was only a single * fragment. As it was fragmented before, add a fragment