From nobody Fri Aug  4 13:59:14 2023
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RHS4g11H3z4kVKd;
	Fri,  4 Aug 2023 13:59:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RHS4f5vXdz3FbX;
	Fri,  4 Aug 2023 13:59:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1691157554;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jaaHiRAGtBKsdsJH8pmHdN0oWP7vJ21sUlESFBYguBs=;
	b=WVK3xj7Gu3KGgdES1Vdl3GopXNfp2dJNg22ZGdqIEcXNVGOSKhh60FtdxKGpGxTbgszu7A
	UbI19r0gwZKm1zJub4+BdkOSrwB6W2sKSHIQHWPqT5YImy/9uHiXCwU5/sKai31s7BV8pd
	DRqSIHWURWWJ6Zlnt0j6G8cq9cbmNgfok8cL7woWZbB2dkEmPvVGREVSfZV72EXX8oI+Zd
	Zvb2cthEkMVf4G6iOPNaMHkO+1zlmVoKZOhLHFKZZeS8XiqRpUbdsWOZnVl1cknoEpsRTp
	8iVUx8RcuZfvT5T6UyzSVpXVjnmEPNB0iQgoYuM7tHtfyAYvFI4aRfGotAqcEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1691157554;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jaaHiRAGtBKsdsJH8pmHdN0oWP7vJ21sUlESFBYguBs=;
	b=q30Ibpodeyt9ivC8FvPD4/qqENhuGcOcXzCPQ6aSCARYmG5+BnNBOfZEUWxg1Hw5ZV0kmg
	6m0HgJ7BJcDBTNtkesKxQ2fT15QDaXrot0XyD5KfHbyuYCZzCwwIZejjOZZ6DoO8/IDkfG
	moYPazMPrEGv+Yu0poxKMXw75JA7oxQK3AgKHldX1sndDv95c6wW3jPGWmzDWD8rsMp5zK
	oakmDBahesb/wtoyHfujtx5QNzRqoX4xu19/tml7Br6rcM1lQLvBy678ZdXb1zyysDhuQN
	D1vX2w/CUyD6ET9pouXVKNGQm/RFoT/YcPwGOJ2Djw9BB35349ued4VxhG6olA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691157554; a=rsa-sha256; cv=none;
	b=VWQm47Tj7yDoMcm35sjNb3g3UySZyEcat2+6mK1yV7cIqXfbAzXY+1vfSu3McqJjfmWGZm
	7/gR91P5kNyUwOalstbiiFM0xAiXia2iKWaK2dvcyd9S3/7ioPtH3XqTG5XynxGU9gR+x6
	ESpCxPeAfZI+eWT48rK91cAoSHD/77W2XzhFkRqn1M+j1OM3uid9gKqR2+72o8jidU3XZY
	e7X21xfdsfOgsa4yvxdmkCDgXu2Kivv3NeDGanx5QgY6QDZYMN8VIvS592p65KrRrOlwNn
	1aE9qZK5Kp1x3EMxrSdRSd/qaoW5dIgI7yNPo9wPX8iGcSK2EBmUcSjEwT5bvg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RHS4f4ztHz14pC;
	Fri,  4 Aug 2023 13:59:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 374DxEpf070027;
	Fri, 4 Aug 2023 13:59:14 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 374DxEIb070026;
	Fri, 4 Aug 2023 13:59:14 GMT
	(envelope-from git)
Date: Fri, 4 Aug 2023 13:59:14 GMT
Message-Id: <202308041359.374DxEIb070026@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 76afcbb52492 - main - pf: handle multiple IPv6 fragment headers
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48

commit 76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-07-13 08:25:49 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-08-04 13:23:49 +0000

    pf: handle multiple IPv6 fragment headers
    
    With 'scrub fragment reassemble' if a packet contains multiple IPv6
    fragment headers we would reassemble the packet and immediately
    continue processing it.
    
    That is, we'd remove the first fragment header and expect the next
    header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if
    it's another fragment header we'd not treat the packet correctly.
    That is, we'd fail to recognise the payload and treat it as if it were
    an IPv6 fragment rather than as its actual payload.
    
    Fix this by restarting the normalisation on the reassembled packet.
    If there are multiple fragment headers drop the packet.
    
    Reported by:    Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
    MFC after:      instant
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_norm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 6dda410d8327..d3fb5dcc00ab 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1254,6 +1254,8 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
 	if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len)
 		goto drop;
 
+again:
+	h = mtod(m, struct ip6_hdr *);
 	plen = ntohs(h->ip6_plen);
 	/* jumbo payload option not supported */
 	if (plen == 0)
@@ -1322,6 +1324,8 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
 	return (PF_PASS);
 
  fragment:
+	if (pd->flags & PFDESC_IP_REAS)
+		return (PF_DROP);
 	if (sizeof(struct ip6_hdr) + plen > m->m_pkthdr.len)
 		goto shortpkt;
 
@@ -1339,7 +1343,7 @@ pf_normalize_ip6(struct mbuf **m0, struct pfi_kkif *kif,
 		return (PF_DROP);
 
 	pd->flags |= PFDESC_IP_REAS;
-	return (PF_PASS);
+	goto again;
 
  shortpkt:
 	REASON_SET(reason, PFRES_SHORT);