Date: Mon, 11 May 2026 13:33:36 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 295198] ipfilter apparently doesn't validate packet lengths Message-ID: <bug-295198-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295198 Bug ID: 295198 Summary: ipfilter apparently doesn't validate packet lengths Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: markj@FreeBSD.org I saw a crash while running the test suite: panic: in6_cksum_partial_l2: mbuf len (51) < off(40)+len(512) cpuid = 8 time = 1778434309 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe00f11d7c70 kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe00f11d7dd0 vpanic() at vpanic+0x214/frame 0xfffffe00f11d7f70 panic() at panic+0xb5/frame 0xfffffe00f11d8030 in6_cksum_partial_l2() at in6_cksum_partial_l2+0x37e/frame 0xfffffe00f11d8120 fr_cksum() at fr_cksum+0x155/frame 0xfffffe00f11d8180 ipf_checkl4sum() at ipf_checkl4sum+0x144/frame 0xfffffe00f11d81c0 ipf_checkv6sum() at ipf_checkv6sum+0x81/frame 0xfffffe00f11d81f0 ipf_makefrip() at ipf_makefrip+0x2396/frame 0xfffffe00f11d8350 ipf_check() at ipf_check+0x3c4/frame 0xfffffe00f11d85f0 ipf_check_wrapper6() at ipf_check_wrapper6+0xd3/frame 0xfffffe00f11d8650 pfil_mbuf_in() at pfil_mbuf_in+0x7c/frame 0xfffffe00f11d8690 ip6_input() at ip6_input+0xbdd/frame 0xfffffe00f11d88b0 netisr_dispatch_src() at netisr_dispatch_src+0x1aa/frame 0xfffffe00f11d8990 ether_demux() at ether_demux+0x301/frame 0xfffffe00f11d8a50 ether_nh_input() at ether_nh_input+0x6ec/frame 0xfffffe00f11d8b30 netisr_dispatch_src() at netisr_dispatch_src+0x1aa/frame 0xfffffe00f11d8c10 ether_input() at ether_input+0x1ac/frame 0xfffffe00f11d8cf0 epair_tx_start_deferred() at epair_tx_start_deferred+0x140/frame 0xfffffe00f11d8d50 taskqueue_run_locked() at taskqueue_run_locked+0x3c2/frame 0xfffffe00f11d8eb0 taskqueue_thread_loop() at taskqueue_thread_loop+0x138/frame 0xfffffe00f11d8ef0 fork_exit() at fork_exit+0xa3/frame 0xfffffe00f11d8f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00f11d8f30 --- trap 0x5be18f56, rip = 0x10b55be18f96, rsp = 0x10b55be18fc6, rbp = 0x10b55be18ee6 --- The basic problem here is: (gdb) frame 25 #25 ipf_makefrip (hlen=hlen@entry=40, ip=ip@entry=0xfffffe00f40c456e, fin=fin@entry=0xfffffe00f11d8410) at /home/markj/sb/main/src/sys/netpfil/ipfilter/netinet/fil.c:2029 2029 ipf_pr_ipv6hdr(fin); (gdb) p fin->fin_plen $17 = 552 (gdb) p fin->fin_m->m_pkthdr.len $18 = 51 That is, the packet's IPv6 header says the packet is longer than it actually is. This causes an underflow in fr_cksum() which causes the panic. Surprisingly I cannot find any code in ipfilter which actually checks for this condition. Of course, ip6_input() does, but that happens after pfil hooks run. So I presume we should add a check for this, presumably in ipf_makefrip(), after the protocol-specific packet length field is extracted. But who knows what other validation is missing. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-295198-227>