Date: Wed, 27 May 2026 13:42:09 +0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: f296b1fd3e9a - stable/14 - ipfilter: Validate length before checksum Message-ID: <6a16f4b1.1d687.344d07b@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=f296b1fd3e9a00835988215118d8d8b996f3c02b commit f296b1fd3e9a00835988215118d8d8b996f3c02b Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2026-05-11 15:44:52 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-05-27 13:42:01 +0000 ipfilter: Validate length before checksum Validate the length of the packet listed in the mbuf is the same as the calculated packet length. If not reject the packet and bump the bad packet stat. PR: 295198 Differential Revision: https://reviews.freebsd.org/D57095 (cherry picked from commit 8dfb0805fc31cd78940429ab0560dae7e8ab6536) --- sys/netpfil/ipfilter/netinet/fil.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 2b81af276cb9..2c9a0732da1c 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -1995,7 +1995,7 @@ ipf_checkcipso(fr_info_t *fin, u_char *s, int ol) /* ------------------------------------------------------------------------ */ /* Function: ipf_makefrip */ -/* Returns: int - 0 == packet ok, -1 == packet freed */ +/* Returns: int - 0 == packet ok, -1 == packet freed or bad length */ /* Parameters: hlen(I) - length of IP packet header */ /* ip(I) - pointer to the IP header */ /* fin(IO) - pointer to packet information */ @@ -2023,14 +2023,23 @@ ipf_makefrip(int hlen, ip_t *ip, fr_info_t *fin) if (v == 4) { fin->fin_plen = ntohs(ip->ip_len); fin->fin_dlen = fin->fin_plen - hlen; - ipf_pr_ipv4hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_bad); + return (-1); + } else { + ipf_pr_ipv4hdr(fin); + } #ifdef USE_INET6 } else if (v == 6) { fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); fin->fin_dlen = fin->fin_plen; fin->fin_plen += hlen; - - ipf_pr_ipv6hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); + return (-1); + } else { + ipf_pr_ipv6hdr(fin); + } #endif } if (fin->fin_ip == NULL) {home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a16f4b1.1d687.344d07b>