Date: Wed, 27 May 2026 13:41:42 +0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 77dd10b2408e - stable/15 - ipfilter: Validate length before checksum Message-ID: <6a16f496.1a1da.4f0a585@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=77dd10b2408eced1ac9eb63e27658491bf3ef701 commit 77dd10b2408eced1ac9eb63e27658491bf3ef701 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2026-05-11 15:44:52 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-05-27 13:41:25 +0000 ipfilter: Validate length before checksum Validate the length of the packet listed in the mbuf is the same as the calculated packet length. If not reject the packet and bump the bad packet stat. PR: 295198 Differential Revision: https://reviews.freebsd.org/D57095 (cherry picked from commit 8dfb0805fc31cd78940429ab0560dae7e8ab6536) --- sys/netpfil/ipfilter/netinet/fil.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 09640623fdf2..8acf37c4c81f 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -1991,7 +1991,7 @@ ipf_checkcipso(fr_info_t *fin, u_char *s, int ol) /* ------------------------------------------------------------------------ */ /* Function: ipf_makefrip */ -/* Returns: int - 0 == packet ok, -1 == packet freed */ +/* Returns: int - 0 == packet ok, -1 == packet freed or bad length */ /* Parameters: hlen(I) - length of IP packet header */ /* ip(I) - pointer to the IP header */ /* fin(IO) - pointer to packet information */ @@ -2019,14 +2019,23 @@ ipf_makefrip(int hlen, ip_t *ip, fr_info_t *fin) if (v == 4) { fin->fin_plen = ntohs(ip->ip_len); fin->fin_dlen = fin->fin_plen - hlen; - ipf_pr_ipv4hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_bad); + return (-1); + } else { + ipf_pr_ipv4hdr(fin); + } #ifdef USE_INET6 } else if (v == 6) { fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); fin->fin_dlen = fin->fin_plen; fin->fin_plen += hlen; - - ipf_pr_ipv6hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); + return (-1); + } else { + ipf_pr_ipv6hdr(fin); + } #endif } if (fin->fin_ip == NULL) {home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a16f496.1a1da.4f0a585>