Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 05 May 2026 16:25:56 +0000
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 9fe189c79a81 - stable/14 - pf: improve ASCONF chunk validation
Message-ID:  <69fa1a14.24794.5e2b0a94@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=9fe189c79a8161380800dcff1d15c4cea7467a7e

commit 9fe189c79a8161380800dcff1d15c4cea7467a7e
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-04-28 08:54:24 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-05-05 07:34:26 +0000

    pf: improve ASCONF chunk validation
    
    When processing an ASCONF chunk we failed to verify that the chunk
    length was at least 8 bytes. As a result we might end up passing a
    negative length to pf_multihome_scan(). Fortunately this merely meant
    the function did nothing, but we should discard such invalid packets, so
    explicitly check for this.
    
    MFC after:      1 week
    Reported by:    Mark Johnston
    Sponsored by:   Orange Business Services
    
    (cherry picked from commit bea1c2fcd7839fd90a8ce96d6dc6a033779bc3c2)
---
 sys/netpfil/pf/pf.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 3eab758296a9..469087a040e1 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6707,6 +6707,9 @@ pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
 			    NULL, NULL, pd->af))
 				return (PF_DROP);
 
+			if (ntohs(ah.ph.param_length) < sizeof(ah))
+				return (PF_DROP);
+
 			ret = pf_multihome_scan(m, start + off + sizeof(ah),
 			    ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
 			    SCTP_ADD_IP_ADDRESS, true);
@@ -6724,6 +6727,10 @@ pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
 			if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah),
 			    NULL, NULL, pd->af))
 				return (PF_DROP);
+
+			if (ntohs(ah.ph.param_length) < sizeof(ah))
+				return (PF_DROP);
+
 			ret = pf_multihome_scan(m, start + off + sizeof(ah),
 			    ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
 			    SCTP_DEL_IP_ADDRESS, true);
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69fa1a14.24794.5e2b0a94>