From nobody Wed Nov 5 19:37:33 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d1wZk1Xpvz652Q1; Wed, 05 Nov 2025 19:37:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4d1wZk0ZTQz3sRJ; Wed, 05 Nov 2025 19:37:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762371454; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Izm5beHYqZs/erSas2rZVHYSJvnICSjj3EhsZE6ClF0=; b=Q1GBXEOh/oQExo8kNy3Y61cxvrjvQwTURCC68PywlmheG/uaUMi3ylX3vXvbIVdkAzk2sH gs5xF5mt6akgxpCK7f51zx5Tgrg2yB6GvxPcvv/OB2m5fz0oAlpYUqmXMc6kNLBzjmj6cG IJuDj2MZeEmQyEaorBa/5gm6osRrgzaK7+SJp0ccLCnGPXnrFtkCfb8JYJah03VSLtosZ0 c0CsQZPu0VM+c5SVUPHQ0Ma3Zt85BCTp0ecnAOKYOQMwLF/y/2EnK2Ky/xCYtQKcl87Kwx vIlcrNVebU+DBkDs4MfwsWJinkCV5o0ydfvu/0rOBpsJgi9jgDJlgFzL2HngZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1762371454; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Izm5beHYqZs/erSas2rZVHYSJvnICSjj3EhsZE6ClF0=; b=FG4zgyXMI/7Sgoaay+ipOQ5lrIK5IghUxtjr/yF5VVa0W8yvi4C3XXczA/kNT2xFUvfMf+ qoIkgPhmABu+sccsC5rA+OKLAcy00/TIHBevW8E8dMkJLd6Zu/hiPgAn9goPkCLyC+BDxI jnDNnD8yAg5ns2JG1xE/TIlzPv6zO2T/kUDKiuCso2WPn4kpDMYnL1HdTPUPx6Ufx3uCkx tPJmezYA/lWVjbtsEfZMnXsvHZFADJRcyVAUtZAsRNr2y7JWsLpTJMu0Abux2L+SXWI0wH sEqDkntrXrjCHjUpvJxD3UqIZVeNTX38RzSMjQlgJcEPs6+7IekB91AUCX8PYg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1762371454; a=rsa-sha256; cv=none; b=sVU2aEQ3ANCizoQ/NpglpDLVJuzoGy3cZA0lPgzfvQBgvhyyY+YxcCsOtN5WyDdninknOL VujDcfvOR8wckdM6KCtvi2Pyv9iH703kb5a84gNqtIv3NHvbSPuL8FlJOjz9dFepmXikLn PrLIxIYMQ+j2wHDxkrJXKGSRmeXx1yylV4+QUhAQpeiElTpWJqhSWOwCH/o9BrnzP4rEqM MDFElBup6aFMlG9Rg/+/RJby8xAw3yz/WU9vOy5VXPrVs9ZWGCQxfM4fqahARAgewEGcZO nrqo++IsQ9K3Y3GczgDGRRieEg8GV9A8VvfhpwcmgDu8hc75S31K1t9cKLZXKg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4d1wZk04D9zwyp; Wed, 05 Nov 2025 19:37:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5A5JbXvT086386; Wed, 5 Nov 2025 19:37:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5A5JbXZO086383; Wed, 5 Nov 2025 19:37:33 GMT (envelope-from git) Date: Wed, 5 Nov 2025 19:37:33 GMT Message-Id: <202511051937.5A5JbXZO086383@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Colin Percival Subject: git: 508f9b68379f - releng/15.0 - ipfw: pmod: avoid further rule processing after tcp-mod failures List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: 508f9b68379f2aae57444f67f2a0e971c338d305 Auto-Submitted: auto-generated The branch releng/15.0 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=508f9b68379f2aae57444f67f2a0e971c338d305 commit 508f9b68379f2aae57444f67f2a0e971c338d305 Author: Kyle Evans AuthorDate: 2025-11-01 17:34:11 +0000 Commit: Colin Percival CommitDate: 2025-11-05 19:36:38 +0000 ipfw: pmod: avoid further rule processing after tcp-mod failures m_pullup() here will have freed the mbuf chain, but we pass back an IP_FW_DENY without any signal that the outer loop should finish. Thus, rule processing continues without an mbuf and there's a chance that we conclude that the packet may pass (but there's no mbuf remaining) depending on the rules that follow it. Approved by: re (cperciva) PR: 284606 Reviewed by: ae (cherry picked from commit c0382512bfce872102d213b9bc2550de0bc30b67) (cherry picked from commit 21d55ae111aada3c5426632253ad8df9103d3423) --- sys/netpfil/ipfw/pmod/tcpmod.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/sys/netpfil/ipfw/pmod/tcpmod.c b/sys/netpfil/ipfw/pmod/tcpmod.c index 0338dc792c64..50074ee98cca 100644 --- a/sys/netpfil/ipfw/pmod/tcpmod.c +++ b/sys/netpfil/ipfw/pmod/tcpmod.c @@ -57,7 +57,8 @@ VNET_DEFINE_STATIC(uint32_t, tcpmod_setmss_eid) = 0; #define V_tcpmod_setmss_eid VNET(tcpmod_setmss_eid) static int -tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss) +tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss, + int *done) { struct mbuf *m; u_char *cp; @@ -72,8 +73,10 @@ tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss) * TCP header with options. */ *mp = m = m_pullup(m, m->m_pkthdr.len); - if (m == NULL) + if (m == NULL) { + *done = 1; return (ret); + } } /* Parse TCP options. */ for (tlen -= sizeof(struct tcphdr), cp = (u_char *)(tcp + 1); @@ -114,7 +117,7 @@ tcpmod_setmss(struct mbuf **mp, struct tcphdr *tcp, int tlen, uint16_t mss) #ifdef INET6 static int -tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss) +tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss, int *done) { struct ip6_hdr *ip6; struct ip6_hbh *hbh; @@ -142,13 +145,13 @@ tcpmod_ipv6_setmss(struct mbuf **mp, uint16_t mss) /* We must have TCP options and enough data in a packet. */ if (hlen <= sizeof(struct tcphdr) || hlen > plen) return (IP_FW_DENY); - return (tcpmod_setmss(mp, tcp, hlen, mss)); + return (tcpmod_setmss(mp, tcp, hlen, mss, done)); } #endif /* INET6 */ #ifdef INET static int -tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss) +tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss, int *done) { struct tcphdr *tcp; struct ip *ip; @@ -162,7 +165,7 @@ tcpmod_ipv4_setmss(struct mbuf **mp, uint16_t mss) /* We must have TCP options and enough data in a packet. */ if (hlen <= sizeof(struct tcphdr) || hlen > plen) return (IP_FW_DENY); - return (tcpmod_setmss(mp, tcp, hlen, mss)); + return (tcpmod_setmss(mp, tcp, hlen, mss, done)); } #endif /* INET */ @@ -206,19 +209,23 @@ ipfw_tcpmod(struct ip_fw_chain *chain, struct ip_fw_args *args, switch (args->f_id.addr_type) { #ifdef INET case 4: - ret = tcpmod_ipv4_setmss(&args->m, htons(icmd->arg1)); + ret = tcpmod_ipv4_setmss(&args->m, htons(icmd->arg1), + done); break; #endif #ifdef INET6 case 6: - ret = tcpmod_ipv6_setmss(&args->m, htons(icmd->arg1)); + ret = tcpmod_ipv6_setmss(&args->m, htons(icmd->arg1), + done); break; #endif } /* * We return zero in both @ret and @done on success, and ipfw_chk() * will update rule counters. Otherwise a packet will not be matched - * by rule. + * by rule. We passed @done around above in case we hit a fatal error + * somewhere, we'll return non-zero but signal that rule processing + * cannot succeed. */ return (ret); }