From nobody Fri Aug 4 14:13:13 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RHSNp0kCvz4kWrV; Fri, 4 Aug 2023 14:13:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RHSNn74gZz3Hv8; Fri, 4 Aug 2023 14:13:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691158394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gGQQGe+uVFk735P/pgZ5eLshawSL8VXnxxhyv7bTqzA=; b=Toja3FJdt6QgOHL9agVITP7xxl8Gr4VP1SG8bGq/qyhBeSRQf0dhYq6NEIzkl356UCwQ7v vFT5KadBREaUonjcpkHEigo+0rSNrLvnzq1TJgeBSWxe3Zuxep0YFuj2CKYizYfrOI/+m6 +h+6kyVlBKvLuxOM3Go/9EdHIURgCbD2zdfXqeo866ZYXEDl27q6VRhEPRuI8FjQpdNllS Y+33VGkt30sMJ/9iJPfcegOAehVtXJiwxpaXl2+d90boAigKmAqSBe7NM1r5njcix586kV jOD6wYLqyuGssI+jeYayHbov9zJJXSUy2ZUlUahKpPG21gxpxIzFWg/sIWr4LA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691158394; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gGQQGe+uVFk735P/pgZ5eLshawSL8VXnxxhyv7bTqzA=; b=qONktvLDG3f1wcGeAU+dSK8b9ZWdQofBsBH+4eW2iyn7yUCtyVSVodlr1+vqpfMwyRu0Aw 77+jmQUU3mG3TW2Baqnp9DhDfqpF596QVxIMLCqiEU3VdJuGETVEVqF7lW2HRJgC0gFVRr 3ETIHVCuOyrekEkxaX/GJD0T0XpDsfubeqv9WswySZBy/zDwMFSlcWwu2xDKv23Dlh5+VX zvA8vBjLQqMxc0f7LIxEZsr+BrH7xK0x1vEdROvAJIUzeYKMK/1VTGr1ztBTnRZellF6CV e5TQ8qhnqkDT/v0C8se1wkmkUnaX6LBcH63nLX1JW1aOkAGZFoOmSfOV9dbVmw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691158394; a=rsa-sha256; cv=none; b=t5nOgY6+Mx7ssyTLPceBcqkD075Cb+0/PE/zK71B3haODNywx7dLRuey+KLeMblhrtRwLL s5MqWYzUZkPSUCsatNTPqyp6V/twS9unL8aCSdZDXx2sUWHl0MYm/ASIH82SuHN3wLJbOO oRJtJNjNDcpgddRXvxuy8WxLswwnI8hb468Yzar+nt8Ye+6JboFKMj2koxFfGmqSFz2XUX q4Cq2ZUgP4koxKaFU/RItgiWYUppU1LFbyfM7HhRMzjaFNxN4YzXfgS0YLQNblANS9+cMp IBj+pL3yFe0VENISMs25MfyIBGS/j1DdYK7UqFNGsXJ5TUUS0zcc91eieou5Sg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RHSNn67V9z154G; Fri, 4 Aug 2023 14:13:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 374EDDw6003574; Fri, 4 Aug 2023 14:13:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 374EDD75003573; Fri, 4 Aug 2023 14:13:13 GMT (envelope-from git) Date: Fri, 4 Aug 2023 14:13:13 GMT Message-Id: <202308041413.374EDD75003573@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 8922b9ac0b48 - stable/12 - pf: handle multiple IPv6 fragment headers List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 8922b9ac0b48749be42689ea959e6a1664f96b12 Auto-Submitted: auto-generated The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=8922b9ac0b48749be42689ea959e6a1664f96b12 commit 8922b9ac0b48749be42689ea959e6a1664f96b12 Author: Kristof Provost AuthorDate: 2023-07-28 09:39:33 +0000 Commit: Kristof Provost CommitDate: 2023-08-04 14:01:23 +0000 pf: handle multiple IPv6 fragment headers With 'scrub fragment reassemble' if a packet contains multiple IPv6 fragment headers we would reassemble the packet and immediately continue processing it. That is, we'd remove the first fragment header and expect the next header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if it's another fragment header we'd not treat the packet correctly. That is, we'd fail to recognise the payload and treat it as if it were an IPv6 fragment rather than as its actual payload. Fix this by restarting the normalisation on the reassembled packet. If there are multiple fragment headers drop the packet. Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome) MFC after: instant Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48) --- sys/netpfil/pf/pf_norm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index ec063f82c1d9..9e936bcd1da5 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1213,6 +1213,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) goto drop; +again: + h = mtod(m, struct ip6_hdr *); extoff = 0; off = sizeof(struct ip6_hdr); proto = h->ip6_nxt; @@ -1303,6 +1305,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, return (PF_PASS); fragment: + if (pd->flags & PFDESC_IP_REAS) + return (PF_DROP); /* Jumbo payload packets cannot be fragmented. */ plen = ntohs(h->ip6_plen); if (plen == 0 || jumbolen) @@ -1324,7 +1328,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, return (PF_DROP); pd->flags |= PFDESC_IP_REAS; - return (PF_PASS); + goto again; shortpkt: REASON_SET(reason, PFRES_SHORT);