From nobody Fri Jun  6 11:17:12 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bDJgX5d8zz5yCDV;
	Fri, 06 Jun 2025 11:17:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bDJgX39Tkz3JnP;
	Fri, 06 Jun 2025 11:17:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1749208632;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6KSmbwlfTiRHSoeta+H2a+eUgdjbJWpqfOZw3e9FoAs=;
	b=ot9+FnKp3V5FE7VK7Gbs8OeqiyRiYkZmk8gCM410T2AlXvLBVb2cxqLrVJAf8JENar2abs
	jY3gSlsujvoXkZxkiLDok5WvAnFhu8SoV20WqXZFwDnzKOuOqgG30XQzGAyt463O4SKqgL
	2NNuqKcjTY/ecxzS3gO87J7nG6KRYUiGfxq9iEhzjj/LdZcohu7+kp4oxtQg+ziAEKhVgP
	4cstnqBzObiU5wwc4GLWmuTpdZO0+fe/V1E2DOJ7wjEwrpYW8oJebetWLWH2Sd2i3HJPeW
	S8FhFpuDfwtpi8ughsm/+2JNHZUnCdzjG6OjDC2SuBdI78SxtzvAqpiXUhMe9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1749208632;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6KSmbwlfTiRHSoeta+H2a+eUgdjbJWpqfOZw3e9FoAs=;
	b=uNDYZpdaT6SwzE8txUjubz4F5DDJUb3NjlxleCavF5ojQkVCw4g9bl8pYObJtOEM5CY3Mr
	37kmI6ZqiX5grE9uqZ9zDkb+vEcHh7ByQHRXeCQ/Z6GDUwLxFtRu1gImi3HZFWicAoe/m/
	BhdA+h0rW7zCdbeYnmadU/B1B9t0Ei462BCJdsVeMEBDKD4O6y9SJnRsZffIZDz63xjtuj
	bkqcqidqfeBRo2FS//I3+yaq2/C+cIZUrPqov/2dMtX9rZaF2JjqCS4dHmxQu7E1VLL8iO
	YCP9dNGPMDEi2L6IjJ6XX2X0uf3GyA98buJaW5FwdvAnUsjThZukvwDn+mBhCQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1749208632; a=rsa-sha256; cv=none;
	b=UtE9BJ350zbKcfj7JWqPYfNOUH10afGPLSrct4AikXVtiw+/wDJwDKoAm2vqQhn8xk8sJc
	s5O2/kYE4M4KKSQLwvEEB4YMn7hsQQ0eS8wHIALFdUqgT541l8O5ZAcqooUN8OAL7OfxtY
	B8aggcV014yN6bPU72Qz0zuhq4opR3VIdWDvEwdm6V/SdjlzHWA1AIpEVcsbj01S9T5bil
	41TI68NlSQY+lqKVaNkZag1zIHrNnK5izMmrbMFYnEsp4JBQ1f0jRme8o8A20GMlCQOFIj
	WGjPeoWD8KXY0Ij+mE1+vSO3rbkgkr4jMLjy2VSLTmYngRjIoPZs5TGOQcDboA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bDJgX2brZzsJ6;
	Fri, 06 Jun 2025 11:17:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 556BHC8R083642;
	Fri, 6 Jun 2025 11:17:12 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 556BHCOo083639;
	Fri, 6 Jun 2025 11:17:12 GMT
	(envelope-from git)
Date: Fri, 6 Jun 2025 11:17:12 GMT
Message-Id: <202506061117.556BHCOo083639@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: dda88af8fa4e - main - pf: limit how many headers we
  look at
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: dda88af8fa4eb1455a6e899434936c4ddeaf526d
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=dda88af8fa4eb1455a6e899434936c4ddeaf526d

commit dda88af8fa4eb1455a6e899434936c4ddeaf526d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-05-26 09:55:12 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-06-06 11:16:00 +0000

    pf: limit how many headers we look at
    
    Limit the nested header chain for IPv6 extensions headers and for
    authentication headers in the IPv4 case.  This prevents spending
    excessive cpu time on crafted packets.
    OK henning@
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 2e5bc81177
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D50659
---
 sys/netpfil/pf/pf.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 0cfb728c3eb5..f1b04a96590b 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -180,6 +180,8 @@ VNET_DEFINE(u_int32_t,			 ticket_altqs_inactive);
 VNET_DEFINE(int,			 altqs_inactive_open);
 VNET_DEFINE(u_int32_t,			 ticket_pabuf);
 
+static const int			 PF_HDR_LIMIT = 20;	/* arbitrary limit */
+
 VNET_DEFINE(SHA512_CTX,			 pf_tcp_secret_ctx);
 #define	V_pf_tcp_secret_ctx		 VNET(pf_tcp_secret_ctx)
 VNET_DEFINE(u_char,			 pf_tcp_secret[16]);
@@ -9698,6 +9700,7 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
 {
 	struct ah	 ext;
 	u_int32_t	 hlen, end;
+	int		 hdr_cnt;
 
 	hlen = h->ip_hl << 2;
 	if (hlen < sizeof(struct ip) || hlen > ntohs(h->ip_len)) {
@@ -9710,7 +9713,7 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
 	/* stop walking over non initial fragments */
 	if ((h->ip_off & htons(IP_OFFMASK)) != 0)
 		return (PF_PASS);
-	for (;;) {
+	for (hdr_cnt = 0; hdr_cnt < PF_HDR_LIMIT; hdr_cnt++) {
 		switch (pd->proto) {
 		case IPPROTO_AH:
 			/* fragments may be short */
@@ -9729,6 +9732,9 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
 			return (PF_PASS);
 		}
 	}
+	DPFPRINTF(PF_DEBUG_MISC, ("IPv4 nested authentication header limit"));
+	REASON_SET(reason, PFRES_IPOPTIONS);
+	return (PF_DROP);
 }
 
 #ifdef INET6
@@ -9801,14 +9807,13 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 	struct ip6_ext		 ext;
 	struct ip6_rthdr	 rthdr;
 	uint32_t		 end;
-	int			 hdr_cnt = 0, fraghdr_cnt = 0, rthdr_cnt = 0;
+	int			 hdr_cnt, fraghdr_cnt = 0, rthdr_cnt = 0;
 
 	pd->off += sizeof(struct ip6_hdr);
 	end = pd->off + ntohs(h->ip6_plen);
 	pd->fragoff = pd->extoff = pd->jumbolen = 0;
 	pd->proto = h->ip6_nxt;
-	for (;;) {
-		hdr_cnt++;
+	for (hdr_cnt = 0; hdr_cnt < PF_HDR_LIMIT; hdr_cnt++) {
 		switch (pd->proto) {
 		case IPPROTO_FRAGMENT:
 			if (fraghdr_cnt++) {
@@ -9863,7 +9868,7 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 			/* FALLTHROUGH */
 		case IPPROTO_HOPOPTS:
 			/* RFC2460 4.1:  Hop-by-Hop only after IPv6 header */
-			if (pd->proto == IPPROTO_HOPOPTS && hdr_cnt > 1) {
+			if (pd->proto == IPPROTO_HOPOPTS && hdr_cnt > 0) {
 				DPFPRINTF(PF_DEBUG_MISC, ("IPv6 hopopts not first"));
 				REASON_SET(reason, PFRES_IPOPTIONS);
 				return (PF_DROP);
@@ -9922,6 +9927,9 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 			return (PF_PASS);
 		}
 	}
+	DPFPRINTF(PF_DEBUG_MISC, ("IPv6 nested extension header limit"));
+	REASON_SET(reason, PFRES_IPOPTIONS);
+	return (PF_DROP);
 }
 #endif /* INET6 */