Date: Fri, 30 Apr 2021 08:45:50 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 055c55abefbe - main - pf: Fix IP checksum on reassembly Message-ID: <202104300845.13U8joDK087339@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=055c55abefbe19fe46a56894595af9c9dad7678c commit 055c55abefbe19fe46a56894595af9c9dad7678c Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-04-28 10:56:06 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-04-30 06:19:46 +0000 pf: Fix IP checksum on reassembly If we reassemble a packet we modify the IP header (to set the length and remove the fragment offset information), but we failed to update the checksum. On certain setups (mostly where we did not re-fragment again afterwards) this could lead to us sending out packets with incorrect checksums. PR: 255432 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30026 --- sys/netpfil/pf/pf_norm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index d7310c7bccb4..6de1efa8ff84 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -794,7 +794,11 @@ pf_reassemble(struct mbuf **m0, struct ip *ip, int dir, u_short *reason) } ip = mtod(m, struct ip *); + ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_len, + htons(hdrlen + total), 0); ip->ip_len = htons(hdrlen + total); + ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_off, + ip->ip_off & ~(IP_MF|IP_OFFMASK), 0); ip->ip_off &= ~(IP_MF|IP_OFFMASK); if (hdrlen + total > IP_MAXPACKET) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104300845.13U8joDK087339>