From nobody Wed Sep 6 17:37:33 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RgqML15lSz4sQTc; Wed, 6 Sep 2023 17:37:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RgqMK75cbz3d5Z; Wed, 6 Sep 2023 17:37:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694021854; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UnunL6cPInLeGeFiMpuLPSuOA04qWbFb4w81bosmALc=; b=cQ1ewEfr/7lajz46c2iqTDma9x7D6T1BVSXQLGUcDcPHIq6RKU7icyC6SGzSJthSQlJG/1 nWAz/4750NRV5EmHHp3hLOivwjl6dzd7gYGHCPhdc0HWsgUVoLvmQuguOA49htZsQuzySI GppPz15xw9r82ZKROHt5MOcSlYhcgAQIJG5hGyYEH2IrzJuPt6qc0KtCdK1mQL/T7a0olK 0FWClK3EdbuTqLE/1yORumuVAAUE98SCXcE+NI+bF46Hvp8oroFqyRKfoQ/24jvAByL3T6 h8aO393u+eICNGEQaRKFMIrGn9bAaKvbxq/AoOsjQZr1r6Y+BNSNwFdBpHRClg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694021854; a=rsa-sha256; cv=none; b=CnzZU/gY8B6DnwLSZBsov65DVbkQEHTaFPN2nWrp8UcSTEUQCy0kDLy/quuCePVT+t7wsM hPGl9hlMQcFQdik+IL2iVs549wEk8vvXz7otmFWY0ulDDGCLbfCTtd8bQbRGyUeWTNDY+c bJbZlOTTW+OfDmo9wrjHuyihfPDfvOxik6dEch7J/UpzNf+MPFA+h7LPqyDpJKmu0cATt3 Uv4Sh/OYhIN5IqStUZEsyVMP2HCD9tQzoshjueCC1YpmHdNvWsAhVXM93LMyDqvUSNCYZF WsHQvE3m78GYIkc2/39WRD9V19j2UNnUxOyoKVA6utqzbsZ/QGl24ESePCnz2g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694021854; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UnunL6cPInLeGeFiMpuLPSuOA04qWbFb4w81bosmALc=; b=fcW9jY2/NGDzMUrPneYC3DZQvnPFqOBB++aNVg9i1GkGmCpWvGRGF3SsFTwoQIK5YtIj2A V4/Asihca3obkA/721lnG98boE9IlUT/oLEQGVczUgYi1OEz03QZxyjYJ2cQ7wvY4Ts4f+ tj1X2OGBRTqUhBqxBekis2C/3+a2Xe7sN3Nycsm7ZHi72yT8p0gagMp5OWIx1coKX3mhLk 7UKYH+G2OK02G4iHuw5j/8jsNWfgX8abv5x8VOmgY/jIqBfvSwNLV+7V/2VvZVdBUw48IM vrb9/UkXbOHXzWl8Rnkj7wkeM07VFVImXaEIE4UnRMTHeiRbTXYmoAby68+GQA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RgqMK69G5zBKW; Wed, 6 Sep 2023 17:37:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 386HbXNe086490; Wed, 6 Sep 2023 17:37:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 386HbXXZ086487; Wed, 6 Sep 2023 17:37:33 GMT (envelope-from git) Date: Wed, 6 Sep 2023 17:37:33 GMT Message-Id: <202309061737.386HbXXZ086487@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Tetlow Subject: git: 41b7760991ef - releng/13.2 - pf: handle multiple IPv6 fragment headers List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.2 X-Git-Reftype: branch X-Git-Commit: 41b7760991efda33f696c45d9eeaefd8bc63a847 Auto-Submitted: auto-generated The branch releng/13.2 has been updated by gordon: URL: https://cgit.FreeBSD.org/src/commit/?id=41b7760991efda33f696c45d9eeaefd8bc63a847 commit 41b7760991efda33f696c45d9eeaefd8bc63a847 Author: Kristof Provost AuthorDate: 2023-07-13 08:25:49 +0000 Commit: Gordon Tetlow CommitDate: 2023-09-06 16:58:39 +0000 pf: handle multiple IPv6 fragment headers With 'scrub fragment reassemble' if a packet contains multiple IPv6 fragment headers we would reassemble the packet and immediately continue processing it. That is, we'd remove the first fragment header and expect the next header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if it's another fragment header we'd not treat the packet correctly. That is, we'd fail to recognise the payload and treat it as if it were an IPv6 fragment rather than as its actual payload. Fix this by restarting the normalisation on the reassembled packet. If there are multiple fragment headers drop the packet. Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome) Sponsored by: Rubicon Communications, LLC ("Netgate") Approved by: so Security: FreeBSD-SA-23:10.pf Security: CVE-2023-4809 (cherry picked from commit 76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48) (cherry picked from commit 3a0461f23a4f4fe8fc82b3445285d3d07787b016) --- sys/netpfil/pf/pf_norm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 56b30faf7e52..d4eb3c98eed5 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1216,6 +1216,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) goto drop; +again: + h = mtod(m, struct ip6_hdr *); plen = ntohs(h->ip6_plen); /* jumbo payload option not supported */ if (plen == 0) @@ -1286,6 +1288,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, return (PF_PASS); fragment: + if (pd->flags & PFDESC_IP_REAS) + return (PF_DROP); if (sizeof(struct ip6_hdr) + plen > m->m_pkthdr.len) goto shortpkt; @@ -1303,7 +1307,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, return (PF_DROP); pd->flags |= PFDESC_IP_REAS; - return (PF_PASS); + goto again; shortpkt: REASON_SET(reason, PFRES_SHORT);