From owner-svn-src-stable-10@freebsd.org  Sun Apr 23 08:59:58 2017
Return-Path: <owner-svn-src-stable-10@freebsd.org>
Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BAD75D4C50E;
 Sun, 23 Apr 2017 08:59:58 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7134BF85;
 Sun, 23 Apr 2017 08:59:58 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3N8xvFw080507;
 Sun, 23 Apr 2017 08:59:57 GMT (envelope-from kp@FreeBSD.org)
Received: (from kp@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3N8xvAr080505;
 Sun, 23 Apr 2017 08:59:57 GMT (envelope-from kp@FreeBSD.org)
Message-Id: <201704230859.v3N8xvAr080505@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org
 using -f
From: Kristof Provost <kp@FreeBSD.org>
Date: Sun, 23 Apr 2017 08:59:57 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r317335 - in stable/10/sys: netinet6 netpfil/pf
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-10@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for only the 10-stable src tree
 <svn-src-stable-10.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-10>, 
 <mailto:svn-src-stable-10-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-10/>
List-Post: <mailto:svn-src-stable-10@freebsd.org>
List-Help: <mailto:svn-src-stable-10-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10>, 
 <mailto:svn-src-stable-10-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2017 08:59:58 -0000

Author: kp
Date: Sun Apr 23 08:59:57 2017
New Revision: 317335
URL: https://svnweb.freebsd.org/changeset/base/317335

Log:
  MFC r317186
  
  pf: Fix possible incorrect IPv6 fragmentation
  
  When forwarding pf tracks the size of the largest fragment in a fragmented
  packet, and refragments based on this size.
  It failed to ensure that this size was a multiple of 8 (as is required for all
  but the last fragment), so it could end up generating incorrect fragments.
  
  For example, if we received an 8 byte and 12 byte fragment pf would emit a first
  fragment with 12 bytes of payload and the final fragment would claim to be at
  offset 8 (not 12).
  
  We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so
  other users won't make the same mistake.
  
  Reported by:    Antonios Atlasis <aatlasis at secfu net>

Modified:
  stable/10/sys/netinet6/ip6_output.c
  stable/10/sys/netpfil/pf/pf_norm.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netinet6/ip6_output.c
==============================================================================
--- stable/10/sys/netinet6/ip6_output.c	Sun Apr 23 08:59:35 2017	(r317334)
+++ stable/10/sys/netinet6/ip6_output.c	Sun Apr 23 08:59:57 2017	(r317335)
@@ -219,6 +219,8 @@ ip6_fragment(struct ifnet *ifp, struct m
 	int error;
 	int tlen = m0->m_pkthdr.len;
 
+	KASSERT(( mtu % 8 == 0), ("Fragment length must be a multiple of 8"));
+
 	m = m0;
 	ip6 = mtod(m, struct ip6_hdr *);
 	mnext = &m->m_nextpkt;

Modified: stable/10/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_norm.c	Sun Apr 23 08:59:35 2017	(r317334)
+++ stable/10/sys/netpfil/pf/pf_norm.c	Sun Apr 23 08:59:57 2017	(r317335)
@@ -1128,6 +1128,10 @@ pf_refragment6(struct ifnet *ifp, struct
 		hdr->ip6_nxt = IPPROTO_FRAGMENT;
 	}
 
+	/* The MTU must be a multiple of 8 bytes, or we risk doing the
+	 * fragmentation wrong. */
+	maxlen = maxlen & ~7;
+
 	/*
 	 * Maxlen may be less than 8 if there was only a single
 	 * fragment.  As it was fragmented before, add a fragment