From nobody Wed May 27 13:41:42 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4X4144z6f3fK for ; Wed, 27 May 2026 13:41:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gQW4W6vBPz4Jd1 for ; Wed, 27 May 2026 13:41:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779889308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AQ9+sQ+GAWizbuRirusVeYS325l8fvvezQ0vm9B/Inc=; b=AUdYj75lo14O/8KS8AQF5hjWIEjR+0j7DiRFx0lshNd5z2ItSU2xO0Q7j2OWbuqzTW3Dgq TO3XO2/PP5dpYaFmsKSQ7kFAdmAzt6gINAXamBuzN/n2g1uv8GKQfH7D97pF9ZYNCnVma5 Q4t08yCgtZNUk6R6T2mvxcke8cbm7WtatRoCZdJnvv6WEkO5n3Y3Sc3jL+quXtydVK5VRo xm/zLXV6UUSVI6r9sHWWcW2Cmc0JhdgACNFfKh9Wc26DY+N/oOw/qroOJSDuRB5LvNMfVN tvtJroKjeg9qbyYeX9i+Rd/VY/fB5Q0KDY5sHE3FQ5RnFxVtmN0ajZQNT9gkig== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779889308; a=rsa-sha256; cv=none; b=HiB/dytFdHTu8N6Q78VmDEKaLaUhABy5pCuJ7qMbo7JGoD5iQI3v/bh8Mk2OeiPCKdaufE UtsPCgjAwmJ3h3s25551g658/AZtRA/kFEJeXEaNI9MmubneYMLUnJqO3QvAd13L4OfhCV 04Eika+IExWeOXN/J7B2H2CPPhg1El4lW8wZboY04jU6UYACufGJ09t9RJjqTPPur6dOaq bzCN+nTKVaSV/eY2gAUw26DWytqaHlVx9aj+BIKbrvKKF2q4lfTpTDqA/+lL7VTDcAAEBm BdTG05vswPU8HC2dXrXZ6Edb840raOqcjsdqgl5+1Zs3pIkNz7m/x9n844MjRw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779889308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AQ9+sQ+GAWizbuRirusVeYS325l8fvvezQ0vm9B/Inc=; b=E1+Rti7nKTvVDQ6qGUc1POW1O33jSRDEOsAro2+5uGBXbLT0CXj5ODJ+qBSom+uzDk0oVl vXyDe/XVr4OrbQv6CTU9xP18MdaSMsqoxrTDtM8s+JAUTL/MXWFvzJmf8v7+fRKO+f01Jk PEoJwxo1Z6SHy7w/T/n+wkzeW3Bw7qti/x5WG4lQuzN05Zadp4XBnFZxIa5DBGNtHRkCPL iL7o6MhqDgv3XqfuaP4XqiLrpk7JM0E9p1wAHer5Co16RVELUKGY1iXzKEz6igJvE0E+Gb WihOM8/0tKtc4ryICZ6JyFwXyfrsgFbZHcBkH2WyNCEi9p7upAuSV1UnIxFLnA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4W5zGyz11LB for ; Wed, 27 May 2026 13:41:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1a1da by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 27 May 2026 13:41:42 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: 77dd10b2408e - stable/15 - ipfilter: Validate length before checksum List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 77dd10b2408eced1ac9eb63e27658491bf3ef701 Auto-Submitted: auto-generated Date: Wed, 27 May 2026 13:41:42 +0000 Message-Id: <6a16f496.1a1da.4f0a585@gitrepo.freebsd.org> The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=77dd10b2408eced1ac9eb63e27658491bf3ef701 commit 77dd10b2408eced1ac9eb63e27658491bf3ef701 Author: Cy Schubert AuthorDate: 2026-05-11 15:44:52 +0000 Commit: Cy Schubert CommitDate: 2026-05-27 13:41:25 +0000 ipfilter: Validate length before checksum Validate the length of the packet listed in the mbuf is the same as the calculated packet length. If not reject the packet and bump the bad packet stat. PR: 295198 Differential Revision: https://reviews.freebsd.org/D57095 (cherry picked from commit 8dfb0805fc31cd78940429ab0560dae7e8ab6536) --- sys/netpfil/ipfilter/netinet/fil.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 09640623fdf2..8acf37c4c81f 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -1991,7 +1991,7 @@ ipf_checkcipso(fr_info_t *fin, u_char *s, int ol) /* ------------------------------------------------------------------------ */ /* Function: ipf_makefrip */ -/* Returns: int - 0 == packet ok, -1 == packet freed */ +/* Returns: int - 0 == packet ok, -1 == packet freed or bad length */ /* Parameters: hlen(I) - length of IP packet header */ /* ip(I) - pointer to the IP header */ /* fin(IO) - pointer to packet information */ @@ -2019,14 +2019,23 @@ ipf_makefrip(int hlen, ip_t *ip, fr_info_t *fin) if (v == 4) { fin->fin_plen = ntohs(ip->ip_len); fin->fin_dlen = fin->fin_plen - hlen; - ipf_pr_ipv4hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_bad); + return (-1); + } else { + ipf_pr_ipv4hdr(fin); + } #ifdef USE_INET6 } else if (v == 6) { fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); fin->fin_dlen = fin->fin_plen; fin->fin_plen += hlen; - - ipf_pr_ipv6hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); + return (-1); + } else { + ipf_pr_ipv6hdr(fin); + } #endif } if (fin->fin_ip == NULL) {