From nobody Wed Jul 23 14:23:49 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bnGbB0X2Fz62NqJ;
	Wed, 23 Jul 2025 14:23:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bnGb94WTfz3pTk;
	Wed, 23 Jul 2025 14:23:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1753280629;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UTcsggEzehT1oLPSpDV8N96adJW7qfNggSWaCfQJ+D0=;
	b=J/Gs2ahcI9VrLH9nlKT/Ce8q7m+3jr81oXIK2nJSTWqIjOYtWw6IZILLHOMFwdRLrzrkrU
	qRceNNFmI6j7eWgDBlvEq3S2KkdjF+AwWqwQkFt+DVn+HIFhjn5jtNvgRnbmPAQm4jO4Ss
	Jk9ehAvIDG2OyRJ+Ter0/abfL+iX3F8InoIVZpg9keB8W1CRmd6EzKxW7HU7kmi7DoJXF+
	XCdQJyoO4lLZrEMicu2nL9HMYH/5S2x6TJdjrU+rF5I3af8IFay2T0n/E4AjJGnNml8/PK
	6NuMrjIygH9nQ0uQBl6p6NNCR9UKKJKpEr7/Jb/r6dITperwufTy2s8bxjMW1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1753280629;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UTcsggEzehT1oLPSpDV8N96adJW7qfNggSWaCfQJ+D0=;
	b=lYocAkWyPO8wpzQsuLfYpj92q/NoHwcJMjYHXhN74wqzhkHTUqZj8yR4LUHQGUBYrVnnTb
	XDw4ppZrmNrseUAZo8fBTZGhfc+hmZ1KNZesDs9IqpP7Ix67WK0zp5+pOsHQjeMyLy0axT
	BymexcU7pySbxrCgJhbeb257JP0pmjHd3aJyI5GVqk+KpszfeE8wJSSmUmowpy2YA+YpJX
	gpvRi0Knm/MFTlU5ASvdm9rXMFfsyM6ab2lCO4NFbohAQHlCtktXjGHAY5mf4cJtJ1f2z+
	YQC2XaEgRLfbsj2ksYxp6aFMvpKE6cSPSvMKA5C79epeqqaZdQogLWZwZU66AQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753280629; a=rsa-sha256; cv=none;
	b=hDdsLezyiUEmVre1MAlznXPpAVZuMwX8aAzOsj0ASzsbo/11iQyFTijKGGqD1E2u7NNLCb
	kvXwG8wkXwY2AyOfGVZ2NpLAqUjLQxpSk5gSBZGpVD7QRDb9ff9y3DCZKxC99DK4yudK0V
	V+OuKfm5xrpxIVsCn33P157Zhe+QlSpB/i9wG6UrsYA56iHCVLOQpF2v1F1F3DzDGaGN2d
	4e+xV2nS9IgMcX2n9/NGUNWy/gIQuJ6wZjZMdarCVtpEK1hmv5XXphgHul3/uBPlSCAgRX
	zBIZ//XNpRJiHo7njQrGnhxgk8+Nhu4t5VUpWRmR/Fxk6sSsLDFR947hjAoj8g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bnGb93rQ8z229;
	Wed, 23 Jul 2025 14:23:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56NENncl031215;
	Wed, 23 Jul 2025 14:23:49 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56NENn7d031211;
	Wed, 23 Jul 2025 14:23:49 GMT
	(envelope-from git)
Date: Wed, 23 Jul 2025 14:23:49 GMT
Message-Id: <202507231423.56NENn7d031211@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: a46974905b0e - main - pf: Make pf(4) more paranoid
  about IGMP/MLP messages.
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: a46974905b0effca7bb2fdfb4b19360f6e9d8897
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=a46974905b0effca7bb2fdfb4b19360f6e9d8897

commit a46974905b0effca7bb2fdfb4b19360f6e9d8897
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-16 14:37:44 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-23 13:35:45 +0000

    pf: Make pf(4) more paranoid about IGMP/MLP messages.
    
    MLD/IGMP messages with ttl other than 1 will be discarded. Also MLD messages
    with other than link-local source address will be discarded. IGMP messages
    with destination address other than multicast class will be discarded.
    
    feedback and OK bluhm@, cluadio@
    
    Obtained from:  OpenBSD, sashan <sashan@openbsd.org>, 5f7837b6d7
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 0a951815656e..20641fbcbce4 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9872,8 +9872,16 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
 	pd->off += hlen;
 	pd->proto = h->ip_p;
 	/* IGMP packets have router alert options, allow them */
-	if (pd->proto == IPPROTO_IGMP)
+	if (pd->proto == IPPROTO_IGMP) {
+		/* According to RFC 1112 ttl must be set to 1. */
+		if ((h->ip_ttl != 1) ||
+		    !IN_MULTICAST(ntohl(h->ip_dst.s_addr))) {
+			DPFPRINTF(PF_DEBUG_MISC, ("Invalid IGMP\n"));
+			REASON_SET(reason, PFRES_IPOPTIONS);
+			return (PF_DROP);
+		}
 		pd->badopts &= ~PF_OPT_ROUTER_ALERT;
+	}
 	/* stop walking over non initial fragments */
 	if ((h->ip_off & htons(IP_OFFMASK)) != 0)
 		return (PF_PASS);
@@ -10113,6 +10121,19 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 			case MLD_LISTENER_REPORT:
 			case MLD_LISTENER_DONE:
 			case MLDV2_LISTENER_REPORT:
+				/*
+				 * According to RFC 2710 all MLD messages are
+				 * sent with hop-limit (ttl) set to 1, and link
+				 * local source address.  If either one is
+				 * missing then MLD message is invalid and
+				 * should be discarded.
+				 */
+				if ((h->ip6_hlim != 1) ||
+				    !IN6_IS_ADDR_LINKLOCAL(&h->ip6_src)) {
+					DPFPRINTF(PF_DEBUG_MISC, ("Invalid MLD\n"));
+					REASON_SET(reason, PFRES_IPOPTIONS);
+					return (PF_DROP);
+				}
 				pd->badopts &= ~PF_OPT_ROUTER_ALERT;
 				break;
 			}