From nobody Wed May 27 13:42:09 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4x5CtQz6f3sg for ; Wed, 27 May 2026 13:42:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gQW4x1QC0z4KSS for ; Wed, 27 May 2026 13:42:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779889329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hzA0QEcPlogIKkJFf6hrd2PUuP9YrBT5/KKWcAHL5fg=; b=AZcLIQEAcFDClz2iPVWhMqbF0tm9gUTj8fvITh8YWzcoCogKcVzY0Wl0suSU8genGrtBc8 3s4YNXy3qeuCvH7ifMEarYXuIZmrtqWhp3+PDN/Hqtj1zz7U2qQexaEvE3GGQ+kRVzFg4Y YZ9kTm0Jrt+R/TSATtvelUHV/KeiyTT0t88fQgziFLi3cVfkCvgVHCC0zwlWuklswWIMS6 /im5Jao0FzjtLfnt+DFI9qPQLtLbFr+ElR1yS9DKn3voc+JU2LrQnqzIxMlxPQL9Obxv8C CLvbgViU+Roj67H4TmUUsLjRFPjE/BGE5NCQtgKvbOYKmLEUeoJ/n6JxSBUm1w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779889329; a=rsa-sha256; cv=none; b=E//xPbnXSIH1EhPuA9jLZfVPtwL6VEi3KM+X2eMaL6JDjYmQQ+aZxIpSR4rivZKhvDIkMu GuxRdNL6xnFG/Xy/QCBSaAu/ZdEk9w09YRtTaDPH2S3ka5HEu83uexmWI6O8gCHNkVkTln dtgHKPbovJS9u3HdNTmzQOsAqjKim0BNTr3X9HBV9VQspscpU86HuNXdLjIFvn5jAxoMmY YS0McTLp5Mn5Ma0f778nwYg16KnZjRCdZmrPHdXGW3b8WELBKqrZs9G8hh/PPV3Qyf6d8s x5GpCFfTD6twj9pniXjwoAfAQa4/Rxh52Eq07PXLwHVHiR4NVGtH5Ga/OYzfNA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779889329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hzA0QEcPlogIKkJFf6hrd2PUuP9YrBT5/KKWcAHL5fg=; b=RbcSkU2NwQBVXRHByqj7UDMKyu42nWJpY7ro/Djr3tX66UQ2K9D3aI5r8Qp8Yo8mS8G+To hdHr8d29Sn93b6LxDGF9+L2gb2ZFMgNb6uN89t6+4a+FkNysMZwfyzI3J0qi7zp+ilfCii hyJdYB/FzNrzWnyfTWsxyC+tDlUFCyw3fOeStE3ivYTe4n2lvWBgw4ea+mwBgcWn7F50pd WZVxTDiJWqZXHA4sZCCj4XOYrswaRwORT5akvfbLJiO8MFGUYmEpilRP+dGUBByyTkUkbp MuU08jmVcuiCLQTgoMA85hWDj2IkIsajf0SZmh/+BXXXon5JkJNPIcUmShw4RA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4x0gf5z11LH for ; Wed, 27 May 2026 13:42:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1d687 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 27 May 2026 13:42:09 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: f296b1fd3e9a - stable/14 - ipfilter: Validate length before checksum List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f296b1fd3e9a00835988215118d8d8b996f3c02b Auto-Submitted: auto-generated Date: Wed, 27 May 2026 13:42:09 +0000 Message-Id: <6a16f4b1.1d687.344d07b@gitrepo.freebsd.org> The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=f296b1fd3e9a00835988215118d8d8b996f3c02b commit f296b1fd3e9a00835988215118d8d8b996f3c02b Author: Cy Schubert AuthorDate: 2026-05-11 15:44:52 +0000 Commit: Cy Schubert CommitDate: 2026-05-27 13:42:01 +0000 ipfilter: Validate length before checksum Validate the length of the packet listed in the mbuf is the same as the calculated packet length. If not reject the packet and bump the bad packet stat. PR: 295198 Differential Revision: https://reviews.freebsd.org/D57095 (cherry picked from commit 8dfb0805fc31cd78940429ab0560dae7e8ab6536) --- sys/netpfil/ipfilter/netinet/fil.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 2b81af276cb9..2c9a0732da1c 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -1995,7 +1995,7 @@ ipf_checkcipso(fr_info_t *fin, u_char *s, int ol) /* ------------------------------------------------------------------------ */ /* Function: ipf_makefrip */ -/* Returns: int - 0 == packet ok, -1 == packet freed */ +/* Returns: int - 0 == packet ok, -1 == packet freed or bad length */ /* Parameters: hlen(I) - length of IP packet header */ /* ip(I) - pointer to the IP header */ /* fin(IO) - pointer to packet information */ @@ -2023,14 +2023,23 @@ ipf_makefrip(int hlen, ip_t *ip, fr_info_t *fin) if (v == 4) { fin->fin_plen = ntohs(ip->ip_len); fin->fin_dlen = fin->fin_plen - hlen; - ipf_pr_ipv4hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_bad); + return (-1); + } else { + ipf_pr_ipv4hdr(fin); + } #ifdef USE_INET6 } else if (v == 6) { fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); fin->fin_dlen = fin->fin_plen; fin->fin_plen += hlen; - - ipf_pr_ipv6hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); + return (-1); + } else { + ipf_pr_ipv6hdr(fin); + } #endif } if (fin->fin_ip == NULL) {