Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Mar 2019 18:12:06 +0000 (UTC)
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org
Subject:   svn commit: r344706 - stable/12/sys/netpfil/pf
Message-ID:  <201903011812.x21IC6wW069158@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: kp
Date: Fri Mar  1 18:12:05 2019
New Revision: 344706
URL: https://svnweb.freebsd.org/changeset/base/344706

Log:
  MFC r344691:
  
  pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic
  
  We mistakenly used the extoff value from the last packet to patch the
  next_header field. If a malicious host sends a chain of fragmented packets
  where the first packet and the final packet have different lengths or number of
  extension headers we'd patch the next_header at the wrong offset.
  This can potentially lead to panics or rule bypasses.
  
  Reported by:	Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
  Approved by:	so
  Obtained from:	OpenBSD
  Security:	CVE-2019-5597

Modified:
  stable/12/sys/netpfil/pf/pf_norm.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/12/sys/netpfil/pf/pf_norm.c	Fri Mar  1 16:16:38 2019	(r344705)
+++ stable/12/sys/netpfil/pf/pf_norm.c	Fri Mar  1 18:12:05 2019	(r344706)
@@ -668,11 +668,11 @@ pf_reassemble6(struct mbuf **m0, struct ip6_hdr *ip6, 
 	}
 
 	/* We have all the data. */
+	frent = TAILQ_FIRST(&frag->fr_queue);
+	KASSERT(frent != NULL, ("frent != NULL"));
 	extoff = frent->fe_extoff;
 	maxlen = frag->fr_maxlen;
 	frag_id = frag->fr_id;
-	frent = TAILQ_FIRST(&frag->fr_queue);
-	KASSERT(frent != NULL, ("frent != NULL"));
 	total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off +
 		TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len;
 	hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903011812.x21IC6wW069158>