From nobody Wed Jul 16 11:57:39 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bhvgl6dFPz62R7H;
	Wed, 16 Jul 2025 11:57:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bhvgl3mPtz3qgc;
	Wed, 16 Jul 2025 11:57:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1752667059;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=x2yqz6vUtC0+oTS9D7qouM6hnajUAvB6xvUaMp74dro=;
	b=cXQidJ89bsdxZX/AbSK9NMqpEaI44ZTRm7DcSpkOlc5DcA0hcwlvhjFXzKurhVCWGZmlgd
	ZAHtOR7cPDohIw71z3hfTfqeh5ZSMvmipTDKLC/YHEK3dnH2xkPuyjKHHcB9PXWP44raXr
	1mlnDVPefUhNMdExp7sgbJeD6D0TlxhSMKIegDQob1TOubNM/uUMKYbPszjVK1HyDXt9WD
	GsfoLTh0eWWmtzE6qs38DriMoNSa0I5flWPTgOtxnNlKMWM+F1KtYbcZBte+m/e83jXcfb
	rslSTOAcEldj78sUzKB5dZyEA1zM54OVG1ZApndFHOBXjDyQvMD2tYqRVZ5F3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1752667059;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=x2yqz6vUtC0+oTS9D7qouM6hnajUAvB6xvUaMp74dro=;
	b=g4c3T1SvDDtpG6XwRXibTcQul2VNWkMHEktu7ZywfZb5RtyURAvrKOoKqZpzLGIGrjRdQL
	z9vdaqJokf8aG4IYLA4rP/azGX2vqbHqKmd/RJ/fyGxqco6F8UtoQg1WPeD4OhJ/aQYxJB
	9yX1tnNkUsYA4iv46drtMAlmHgqmp4tg1IATAbt0OTD9ESLph/A8yi+86n6OOUmCV9Vo9n
	xAhF4cwHNden/Nnq2sm2V4PlIZXlByKeWFSs8+KQb4Ih+Qv6Ff7sdT8l56DkaYlHb1E8Nq
	Jw+uKzSG/a36hu4NU4mFFpRZAQMztN7jPcFfco5pasdTydCoU6bzhTUfwtI92Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752667059; a=rsa-sha256; cv=none;
	b=Ta4MqhA43e4RRiiESRmJPsBVeiC8fEhu0NEwgrWiaWGodM9AYQ656IjtFWt/bwIq/aRYsr
	4ymb2KVbAOZBdlS2di92bZHvLvx+wGmy1rBzb3wxmpJgYTIu0WOdXi954qrW+vX5ZcnNs9
	UmuBaFzHVtrkeW8Lts+5HiHnQy191YDNpMFYhaggcNoxOteNhacSlb2rToS4D75kRJ5SxC
	Mm+0XFMI+eb4lYO6DUEsfbBnwa/snFz40/loaDlDhPxhIbymosbhlMlgdm4GPEICBuoEVC
	DD+h7mOXXiHppoqXWhV9GeHKSubAzobL7Q2oHojAvJrSVRRXKUT6M44Z4N9b+w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bhvgl3M9Rz1NCM;
	Wed, 16 Jul 2025 11:57:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56GBvd5x047516;
	Wed, 16 Jul 2025 11:57:39 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56GBvdpc047513;
	Wed, 16 Jul 2025 11:57:39 GMT
	(envelope-from git)
Date: Wed, 16 Jul 2025 11:57:39 GMT
Message-Id: <202507161157.56GBvdpc047513@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: cb43e97aea11 - main - pf: add missing IPv6 length
  check
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: cb43e97aea11a788972f977ea68c518bfb7fc0c1
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=cb43e97aea11a788972f977ea68c518bfb7fc0c1

commit cb43e97aea11a788972f977ea68c518bfb7fc0c1
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-15 08:40:25 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-16 11:33:51 +0000

    pf: add missing IPv6 length check
    
    We failed to verify that the packet was long enough for the provided IPv6 packet
    length. This could result in us walking off the end of the mbuf and panicing.
    
    PR:             288224
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Tested by:      Robert Morris <rtm@lcs.mit.edu>
    Reviewed by:    emaste
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D51324
---
 sys/netpfil/pf/pf.c           |  6 ++++++
 tests/sys/netpfil/pf/nat64.py | 15 +++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index ad42f1cccd33..9acfb19645b7 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -10141,6 +10141,12 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
 		}
 
 		h = mtod(pd->m, struct ip6_hdr *);
+		if (pd->m->m_pkthdr.len <
+		    sizeof(struct ip6_hdr) + ntohs(h->ip6_plen)) {
+			*action = PF_DROP;
+			REASON_SET(reason, PFRES_SHORT);
+			return (-1);
+		}
 
 		if (pf_walk_header6(pd, h, reason) != PF_PASS) {
 			*action = PF_DROP;
diff --git a/tests/sys/netpfil/pf/nat64.py b/tests/sys/netpfil/pf/nat64.py
index adae2489ce5e..5cc4713a16cc 100644
--- a/tests/sys/netpfil/pf/nat64.py
+++ b/tests/sys/netpfil/pf/nat64.py
@@ -272,3 +272,18 @@ class TestNAT64(VnetTestTemplate):
         reply = self.common_test_source_addr(packet)
         icmp = reply.getlayer(sp.ICMPv6EchoRequest)
         assert icmp
+
+    @pytest.mark.require_user("root")
+    @pytest.mark.require_progs(["scapy"])
+    def test_bad_len(self):
+        """
+            PR 288224: we can panic if the IPv6 plen is longer than the packet length.
+        """
+        ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1")
+        import scapy.all as sp
+
+        packet = sp.IPv6(dst="64:ff9b::198.51.100.2", hlim=2, plen=512) \
+            / sp.ICMPv6EchoRequest() / sp.Raw("foo")
+        reply = sp.sr1(packet, timeout=3)
+        # We don't expect a reply to a corrupted packet
+        assert not reply