Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Feb 2025 19:39:10 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: d62832e21a0e - main - pf: make length overlow protection more obvious
Message-ID:  <202502121939.51CJdAB0061743@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d62832e21a0e396470bbe072ad33496e708db582

commit d62832e21a0e396470bbe072ad33496e708db582
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-06 15:43:14 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-12 19:38:38 +0000

    pf: make length overlow protection more obvious
    
    Before pulling the TCP options from the mbuf onto the stack, do an
    additional length check in pf_modulate_sack() and pf_normalize_mss().
    Overflow cannot happen due to the restricted values in the length
    calculation.  As this is not obvious, be better safe than sorry.
    OK henning@
    
    Obtained from:  OpenBSD, henning <henning@openbsd.org>, a9e7ebb0d5
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c      | 2 +-
 sys/netpfil/pf/pf_norm.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 3a56e6855d6f..6fdc0996324b 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3867,7 +3867,7 @@ pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th,
 	struct sackblk sack;
 
 #define	TCPOLEN_SACKLEN	(TCPOLEN_SACK + 2)
-	if (hlen < TCPOLEN_SACKLEN ||
+	if (hlen < TCPOLEN_SACKLEN || hlen > MAX_TCPOPTLEN ||
 	    !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af))
 		return 0;
 
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 7290ede8d393..6546f8684a68 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1945,8 +1945,8 @@ pf_normalize_mss(struct pf_pdesc *pd)
 	thoff = th->th_off << 2;
 	cnt = thoff - sizeof(struct tcphdr);
 
-	if (cnt > 0 && !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, cnt,
-	    NULL, NULL, pd->af))
+	if (cnt <= 0 || cnt > MAX_TCPOPTLEN || !pf_pull_hdr(pd->m,
+	    pd->off + sizeof(*th), opts, cnt, NULL, NULL, pd->af))
 		return (0);
 
 	for (; cnt > 0; cnt -= optlen, optp += optlen) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502121939.51CJdAB0061743>