From owner-svn-src-all@freebsd.org Fri Nov 17 23:25:07 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BAA3ADE5933; Fri, 17 Nov 2017 23:25:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 87A4F79AB1; Fri, 17 Nov 2017 23:25:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAHNP6iW077433; Fri, 17 Nov 2017 23:25:06 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAHNP6IL077432; Fri, 17 Nov 2017 23:25:06 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201711172325.vAHNP6IL077432@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Fri, 17 Nov 2017 23:25:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r325962 - head/sys/netpfil/ipfw X-SVN-Group: head X-SVN-Commit-Author: ae X-SVN-Commit-Paths: head/sys/netpfil/ipfw X-SVN-Commit-Revision: 325962 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2017 23:25:07 -0000 Author: ae Date: Fri Nov 17 23:25:06 2017 New Revision: 325962 URL: https://svnweb.freebsd.org/changeset/base/325962 Log: Add comment for accidentally committed unrelated change in r325960. Do not invoke IPv4 NAT handler for non IPv4 packets. Libalias expects a packet is IPv4. And in case when it is IPv6, it just translates them as IPv4. This leads to corruption and in some cases to panics. In particular a panic can happen when value of ip6_plen modified to something that leads to IP fragmentation, but actual packet length does not match the IP length. Packets that are not IPv4 will be dropped by NAT rule. Reported by: Viktor Dukhovni MFC after: 1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 17 23:22:39 2017 (r325961) +++ head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 17 23:25:06 2017 (r325962) @@ -2560,6 +2560,10 @@ do { \ case O_NAT: l = 0; /* exit inner loop */ done = 1; /* exit outer loop */ + /* + * Ensure that we do not invoke NAT handler for + * non IPv4 packets. Libalias expects only IPv4. + */ if (!is_ipv4 || !IPFW_NAT_LOADED) { retval = IP_FW_DENY; break;