From nobody Wed May 27 13:41:42 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4R0RXsz6f3qC for ; Wed, 27 May 2026 13:41:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gQW4Q4X85z4JZH for ; Wed, 27 May 2026 13:41:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779889302; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AQ9+sQ+GAWizbuRirusVeYS325l8fvvezQ0vm9B/Inc=; b=sE+zFViwSoL5TZTBxOdN8ZD1we5uoWYJihIXABUwKEzabjgE/Ko/7/fD/5ID5Ef4Y7HQpq ODeDejexOz7+RaqqqKAE8ixFsyFZBlaPWkrRVjXKZZ6jUkFr6itSFGT7qIpantSCuTgxWP trMnjxMnLBZG9ZalUNFrd03vmftQ5CerOoF0EMZFjl2QjLdXuost8hARGGB3t01QJiatSg KN7ZCsQjMiuvJZETUu4dsGKRDcotAyxxK84dWFBGIhGJV+KUAU8IASugY18jMb5kCqvay3 pU1HjVIeM+trfBcvxsG4Xhd19L9G/qARb6CBxlB1mp8GNXIZupXl83cxak3dRw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779889302; a=rsa-sha256; cv=none; b=tuTnPPJ1cZZc+rwAtFa3e5GxK/zQoVJ8sLLPwPl+0dFPKKhwAEtjM+GJhrAkcSMRuyAW24 ax84SQlG1Sj6G1O3WVCthvVT83zsUp3Wk7umhXYd+EZFnlRQ8bi+m+kzziBAQ0c36u7Ojk 7I1u4O7LXr0xVOyKIu3Ur+75jkrF1PVicmSH+0d2zqpkxKDt+zZrMfn3g2prUZO0aJQBoO 7fBzsf+90EF7Drex4vMvzZb7fKF7gwzamX1+qx1EuEIXlG2v5zmN85mDN4SbUsLu29UNmJ ZTJFLsuc2+NJAAHrQDTCk6NmDw8kvu78PwAB6+vuNeTil+mY5obZXUtOIhhEuQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779889302; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AQ9+sQ+GAWizbuRirusVeYS325l8fvvezQ0vm9B/Inc=; b=PoblC0UZwjICrjs1cJQ82m7exrwA0PkgKjGSwr3nOiK00iz6tNGGF/GMbth0Tnu+Aj8MuD dBjiME1IYwY+XW55Rp4DF7YnmiZhI5XC9Zts1TGmyqTDWm64sDMeZh8/DTewaHGSZHnw1p mJiXo7RHv9B8uBr3Dr1xJIiRf4DMCGgkr0gU09BD3IiW+zqVnnjxJXKGzp+6heDFQ2SdJz vtiM1oHE8AlXQ61E6YvD2BfpFjhUa4wKuX4xE+buPDMd4lSxXfyCHzLhPP9QFS886b368X xIN/QhWKH1Z41RR/x3KegDKA1Uyvw1A7ABBsL7aCWpoZO3hBaa6YoxGNNSLAKw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4Q3mfjz12Gv for ; Wed, 27 May 2026 13:41:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1a1da by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 27 May 2026 13:41:42 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: 77dd10b2408e - stable/15 - ipfilter: Validate length before checksum List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 77dd10b2408eced1ac9eb63e27658491bf3ef701 Auto-Submitted: auto-generated Date: Wed, 27 May 2026 13:41:42 +0000 Message-Id: <6a16f496.1a1da.4f0a585@gitrepo.freebsd.org> The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=77dd10b2408eced1ac9eb63e27658491bf3ef701 commit 77dd10b2408eced1ac9eb63e27658491bf3ef701 Author: Cy Schubert AuthorDate: 2026-05-11 15:44:52 +0000 Commit: Cy Schubert CommitDate: 2026-05-27 13:41:25 +0000 ipfilter: Validate length before checksum Validate the length of the packet listed in the mbuf is the same as the calculated packet length. If not reject the packet and bump the bad packet stat. PR: 295198 Differential Revision: https://reviews.freebsd.org/D57095 (cherry picked from commit 8dfb0805fc31cd78940429ab0560dae7e8ab6536) --- sys/netpfil/ipfilter/netinet/fil.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 09640623fdf2..8acf37c4c81f 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -1991,7 +1991,7 @@ ipf_checkcipso(fr_info_t *fin, u_char *s, int ol) /* ------------------------------------------------------------------------ */ /* Function: ipf_makefrip */ -/* Returns: int - 0 == packet ok, -1 == packet freed */ +/* Returns: int - 0 == packet ok, -1 == packet freed or bad length */ /* Parameters: hlen(I) - length of IP packet header */ /* ip(I) - pointer to the IP header */ /* fin(IO) - pointer to packet information */ @@ -2019,14 +2019,23 @@ ipf_makefrip(int hlen, ip_t *ip, fr_info_t *fin) if (v == 4) { fin->fin_plen = ntohs(ip->ip_len); fin->fin_dlen = fin->fin_plen - hlen; - ipf_pr_ipv4hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_bad); + return (-1); + } else { + ipf_pr_ipv4hdr(fin); + } #ifdef USE_INET6 } else if (v == 6) { fin->fin_plen = ntohs(((ip6_t *)ip)->ip6_plen); fin->fin_dlen = fin->fin_plen; fin->fin_plen += hlen; - - ipf_pr_ipv6hdr(fin); + if (fin->fin_m != NULL && fin->fin_m->m_flags & M_PKTHDR && fin->fin_m->m_pkthdr.len < fin->fin_plen) { + LBUMPD(ipf_stats[fin->fin_out], fr_v6_bad); + return (-1); + } else { + ipf_pr_ipv6hdr(fin); + } #endif } if (fin->fin_ip == NULL) {