Date: Fri, 17 Nov 2017 23:25:06 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r325962 - head/sys/netpfil/ipfw Message-ID: <201711172325.vAHNP6IL077432@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Fri Nov 17 23:25:06 2017 New Revision: 325962 URL: https://svnweb.freebsd.org/changeset/base/325962 Log: Add comment for accidentally committed unrelated change in r325960. Do not invoke IPv4 NAT handler for non IPv4 packets. Libalias expects a packet is IPv4. And in case when it is IPv6, it just translates them as IPv4. This leads to corruption and in some cases to panics. In particular a panic can happen when value of ip6_plen modified to something that leads to IP fragmentation, but actual packet length does not match the IP length. Packets that are not IPv4 will be dropped by NAT rule. Reported by: Viktor Dukhovni <freebsd at dukhovni dot org> MFC after: 1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 17 23:22:39 2017 (r325961) +++ head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 17 23:25:06 2017 (r325962) @@ -2560,6 +2560,10 @@ do { \ case O_NAT: l = 0; /* exit inner loop */ done = 1; /* exit outer loop */ + /* + * Ensure that we do not invoke NAT handler for + * non IPv4 packets. Libalias expects only IPv4. + */ if (!is_ipv4 || !IPFW_NAT_LOADED) { retval = IP_FW_DENY; break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201711172325.vAHNP6IL077432>