From nobody Fri Aug 4 14:08:24 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RHSHD6YW5z4kVSd; Fri, 4 Aug 2023 14:08:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RHSHD5nF7z3GtF; Fri, 4 Aug 2023 14:08:24 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691158104; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zd9KuwPNmK9ee4lp2eENilvlGNzjsgpDBAyh5cc20Qw=; b=LmeZToxCuevoQQm9tMfEs9n7aE0DnIa1wf5nC953BT0R6rXHpT0TcFRo3qvFYlKZqfwBpH NPwPnSLc9NOswOnr2n8XM0EFQ5gYbae/5xCFjuopS8V6EQKEt4Sb3bcfwzoxkwMnzU+K7g YTdw3prjQr0q2iFkPL2Z4PvdszXGruz2GFWL8wLhFda+ZDa/Z1wkTXHeSsUG8DIuyngVxb 8LTNvhUW2S1OSFOEjsm2tCOTz8la8uM3DMkXYWnJYMPi2QBSUnO+uj+Bo7axGxiBdJ/Och ZtYSNllYd7pq05Lrw6gsgajrWg0wk7LfFzHGe1agddr0rul7s8e9z+F22MvFdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691158104; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zd9KuwPNmK9ee4lp2eENilvlGNzjsgpDBAyh5cc20Qw=; b=i2b7WWvjduJS87/nNktPG8oc6DMDCOjOwTQ+ZrdpGBMg6UISw+6uPa6VTWg1PaSLJGNbOw JdeVX1okDOWuhilwGB7izDcoSjLX/qTuM9h2DWqv4BXqkzN1CeGULCHaO24XwEp8QVhYnN IVQkr7WfPFtbFsSWLDRuFqeg0LljZ2o1ReHH+dsZPSiG3g0WaUOzFUwGTo8W8gRHPNUrgH FQBMSrGjCLjkKj/cYQNzaXGzUDIHZvQmzppH5TDVlgm20sxxgXuIBZOYMfnV+dMDcV+bNg Mn/iKafFIiu478BSgvxd+P166E4wXgfNIdlFDHbUzAl3Ocq652qDFpVEv4xE/Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691158104; a=rsa-sha256; cv=none; b=FFYzdrYdAeQ/e46CRNkClJVPPkjIUROlo7+so+rFtiG6NVRUpnJAGm88D3XXhP07Vgpido tqh6T7S6Q609Hp9q/fQcdrgCTxTWN0WFQlZnVu2i6YWKyypqANGcMSYSId3vFh+s/zTAXL AKCznXf+hg+mpiW2LeJBXe55Pb03Aducpm7UMB8JM41JJVMA80X4N3W5WhbQg36X40xEfq pF7zMREZsh01z0RayS/8bgxUGTSbi42muodNAbLY+4I5xJvpLn2nBAs5GkbVAFlAoL4pj7 SGTjXQuqroi9Ew80GbPpntFkJ2Hz6cIn/y5pqiESVXpkRq1l8IlJFaXG2zUl9Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RHSHD4lp9z14py; Fri, 4 Aug 2023 14:08:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 374E8O1w087524; Fri, 4 Aug 2023 14:08:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 374E8Ob8087523; Fri, 4 Aug 2023 14:08:24 GMT (envelope-from git) Date: Fri, 4 Aug 2023 14:08:24 GMT Message-Id: <202308041408.374E8Ob8087523@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 3a0461f23a4f - stable/13 - pf: handle multiple IPv6 fragment headers List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 3a0461f23a4f4fe8fc82b3445285d3d07787b016 Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=3a0461f23a4f4fe8fc82b3445285d3d07787b016 commit 3a0461f23a4f4fe8fc82b3445285d3d07787b016 Author: Kristof Provost AuthorDate: 2023-07-13 08:25:49 +0000 Commit: Kristof Provost CommitDate: 2023-08-04 14:08:05 +0000 pf: handle multiple IPv6 fragment headers With 'scrub fragment reassemble' if a packet contains multiple IPv6 fragment headers we would reassemble the packet and immediately continue processing it. That is, we'd remove the first fragment header and expect the next header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if it's another fragment header we'd not treat the packet correctly. That is, we'd fail to recognise the payload and treat it as if it were an IPv6 fragment rather than as its actual payload. Fix this by restarting the normalisation on the reassembled packet. If there are multiple fragment headers drop the packet. Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome) MFC after: instant Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48) --- sys/netpfil/pf/pf_norm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index cac9c1fe391f..ae026fb9cee1 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1216,6 +1216,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) goto drop; +again: + h = mtod(m, struct ip6_hdr *); plen = ntohs(h->ip6_plen); /* jumbo payload option not supported */ if (plen == 0) @@ -1286,6 +1288,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, return (PF_PASS); fragment: + if (pd->flags & PFDESC_IP_REAS) + return (PF_DROP); if (sizeof(struct ip6_hdr) + plen > m->m_pkthdr.len) goto shortpkt; @@ -1303,7 +1307,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, return (PF_DROP); pd->flags |= PFDESC_IP_REAS; - return (PF_PASS); + goto again; shortpkt: REASON_SET(reason, PFRES_SHORT);