From nobody Fri Sep 5 19:54:59 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cJRs03GQSz66KZS; Fri, 05 Sep 2025 19:55:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cJRs01lMyz3WtV; Fri, 05 Sep 2025 19:55:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757102100; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rOtBhIPNBSJAaQvwFATnVfJPFykbMraHYEtFEMae6+E=; b=Uz0sJqtLFxDvG++nubNo8utQlLCTg1t9nE42ZoJnECL+xsOjNcE/PY99ta1RptEiTw4/+T OOXasxDy/7s5bvfGGaQmvcbnzjen2nF+Uf/OVBHni5KC8MinEAe2YFpKEpwDtCDfhXtRY/ TNsD/3KW/meeCpFDOBdM3FGHhm5/RjyansgUFYqg6B7E3DLs6ofwkjoQ2BqpGbaYqlDqRn b5kxU/1qr0ZHlEf0rLEj2iKHL4+X1u1i4LzRMCIrBS6lseoF0UYUSpL4IipTx2ZQwzCZFN Fk6N8Qp4vgVqFWAlPHWJyKTNy7l5DflUscBkqgNu7xfag49ETnmAragdQwYhcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1757102100; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rOtBhIPNBSJAaQvwFATnVfJPFykbMraHYEtFEMae6+E=; b=bY+hXYmGbTkpApTHHM45XxIG877KDIR8UK4Q3DuhkYF971SfYTX9WJ3J2rQ6sFE+fBqTnn Cf7NLPwMq9G8GQcwX2qD2A8zVMCz6ur1Z2TXMHHt4hCgbBQPLFXUG55iDmW+2ZR7zStxth /Ar5O0ZG/hD+naIAh+Ix+QzR2r2cTYJQXCYHQRhzb/7aWOE/nxFKAwbxWUJPGCPyr/SrEY GcFYAH1siuaPYRte9SziIFq0DGTJMcYZL2SQXa9V4CVfq6kS+ka9G1xpVh6lLrYRyBAfM2 URSvZ34kmOobLW+wNwAMCff3fcTelFlxdhHm7L2DQjgMtdUWeK4svwVGmjY9iQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1757102100; a=rsa-sha256; cv=none; b=l4JJTyW7t9PpugT0wajJYnkuMEgyW973cW9G8KNsEXUcbZMlFeilJj9ITe7rAqBD4mBRy2 YJ8kTUH1OMtufVhqNdUQgbBBlx0aNTohqwiC3YmtHtDzbCaTV32Me8VQl74x12hruLayEt 9pVv9yxDUWcsc05NPr3aMi2AfUXqbjBdmHBuiK2jfzIErhp/8wYsd1X4kCkII1Gw7bdTs+ j8tnVpoIaffTxGZP9rENp5PQ0yo+1JvxPC6cUJXRHhE/rRsQ68DBXStojji65lzo278TUo rdkXFQTRSRe/ictkK8Af1eu9uHfncZuf9hJQPrQ2TMlzNIPHkh6TJkx/TJc6Fw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cJRs00Rwwz12ys; Fri, 05 Sep 2025 19:55:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 585JsxPS031694; Fri, 5 Sep 2025 19:54:59 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 585JsxwK031691; Fri, 5 Sep 2025 19:54:59 GMT (envelope-from git) Date: Fri, 5 Sep 2025 19:54:59 GMT Message-Id: <202509051954.585JsxwK031691@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: c23eda976a8a - main - pf: fix possible pd->pcksum NULL deref List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c23eda976a8aad6bbd6c2042fa2ba1f0bc640e19 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=c23eda976a8aad6bbd6c2042fa2ba1f0bc640e19 commit c23eda976a8aad6bbd6c2042fa2ba1f0bc640e19 Author: Kristof Provost AuthorDate: 2025-09-02 13:14:49 +0000 Commit: Kristof Provost CommitDate: 2025-09-05 19:54:12 +0000 pf: fix possible pd->pcksum NULL deref Ensure that we always populate pcksum, not just for TCP/UDP/SCTP/ICMP. We may end up using it (through pf_change_ap()) if we're doing NAT, so ensure it's available even if it's sometimes just a dummy variable. Reported-by: syzbot+3e73a7cba8cb6cd46f90@syzkaller.appspotmail.com MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 14 ++++++++ tests/sys/netpfil/pf/Makefile | 1 + tests/sys/netpfil/pf/nat44.py | 76 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 242152f17db0..3a047ea44c47 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8854,6 +8854,11 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd, default: { int action; + /* + * Placeholder value, so future calls to pf_change_ap() + * don't try to update a NULL checksum pointer. + */ + pd->pcksum = &pd->sctp_dummy_sum; key.af = pd2.af; key.proto = pd2.proto; pf_addrcpy(&key.addr[pd2.sidx], pd2.src, key.af); @@ -10614,6 +10619,13 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, break; } #endif /* INET6 */ + default: + /* + * Placeholder value, so future calls to pf_change_ap() don't + * try to update a NULL checksum pointer. + */ + pd->pcksum = &pd->sctp_dummy_sum; + break; } if (pd->sport) @@ -10621,6 +10633,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, if (pd->dport) pd->odport = pd->ndport = *pd->dport; + MPASS(pd->pcksum != NULL); + return (0); } diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile index 616ffe560b3a..9f993eec61d0 100644 --- a/tests/sys/netpfil/pf/Makefile +++ b/tests/sys/netpfil/pf/Makefile @@ -61,6 +61,7 @@ ATF_TESTS_PYTEST+= header.py ATF_TESTS_PYTEST+= icmp.py ATF_TESTS_PYTEST+= igmp.py ATF_TESTS_PYTEST+= mld.py +ATF_TESTS_PYTEST+= nat44.py ATF_TESTS_PYTEST+= nat64.py ATF_TESTS_PYTEST+= nat66.py ATF_TESTS_PYTEST+= return.py diff --git a/tests/sys/netpfil/pf/nat44.py b/tests/sys/netpfil/pf/nat44.py new file mode 100644 index 000000000000..d69e794a62c3 --- /dev/null +++ b/tests/sys/netpfil/pf/nat44.py @@ -0,0 +1,76 @@ +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright (c) 2025 Rubicon Communications, LLC (Netgate) +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +import pytest +from atf_python.sys.net.tools import ToolsHelper +from atf_python.sys.net.vnet import VnetTestTemplate + +class TestNAT44(VnetTestTemplate): + REQUIRED_MODULES = [ "pf" ] + TOPOLOGY = { + "vnet1": {"ifaces": ["if1"]}, + "vnet2": {"ifaces": ["if1", "if2"]}, + "vnet3": {"ifaces": ["if2"]}, + "if1": {"prefixes4": [("192.0.2.2/24", "192.0.2.1/24")]}, + "if2": {"prefixes4": [("198.51.100.1/24", "198.51.100.2")]}, + } + + def vnet2_handler(self, vnet): + outifname = vnet.iface_alias_map["if2"].name + ToolsHelper.print_output("/sbin/sysctl net.inet.ip.forwarding=1") + + ToolsHelper.print_output("/sbin/pfctl -e") + ToolsHelper.print_output("/sbin/pfctl -x loud") + ToolsHelper.pf_rules([ + "set reassemble yes", + "nat on {} inet from 192.0.2.0/24 -> ({})".format(outifname, outifname), + "pass"]) + + def vnet3_handler(self, vnet): + pass + + @pytest.mark.require_user("root") + @pytest.mark.require_progs(["scapy"]) + def test_nat_igmp(self): + "Verify that NAT translation of !(TCP|UDP|SCTP|ICMP) doesn't panic" + ToolsHelper.print_output("/sbin/route add default 192.0.2.1") + ToolsHelper.print_output("ping -c 3 198.51.100.2") + + # Import in the correct vnet, so at to not confuse Scapy + import scapy.all as sp + import scapy.contrib as sc + import scapy.contrib.igmp + + pkt = sp.IP(dst="198.51.100.2", ttl=64) \ + / sc.igmp.IGMP(type=0x11, mrcode=1) + sp.send(pkt) + + # This time we'll hit an existing state + pkt = sp.IP(dst="198.51.100.2", ttl=64) \ + / sc.igmp.IGMP(type=0x11, mrcode=1) + reply = sp.sr1(pkt, timeout=3) + if reply: + reply.show()