From nobody Wed Jun 25 20:04:45 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bSCTV6nnqz60SW4; Wed, 25 Jun 2025 20:04:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bSCTV0z2xz3JPG; Wed, 25 Jun 2025 20:04:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750881886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wj/V+H8j1Q1eOLQFknv64nzkj7RsNxeRQv48556AnGg=; b=rRqhtZ3XiOMwyQnwC0Dw/t4dYveJ3BuhfQImsEzDQYqnTngxMnMMj6zKwTqROdI82GkaMF /TLzUcztrADA46RSfp8RHPdrEaDBSwIyVBsPAdjL6vz/xsR21SyKTyiX+y8yCcSNXCDlqP Fp2TLsborleG4HlrkBSlUGj+JMAmtE297wEGZG2OVObyAmJrxXxVfpwzrsR5MWbYir/RUv BUs1Qik4+HmpxhRrHkXyDZhKuNgnZNylvTsejTUoGFHeeGZDscH5Ll0MoL3E0hyO5kVVQA VLOaejLDA/0htKejEtjoeVQbD7pM80aQ6JGVOGyuETpJymjwG7GDzRwXqKwHiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750881886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wj/V+H8j1Q1eOLQFknv64nzkj7RsNxeRQv48556AnGg=; b=EZt9vpKqXY2unKfbL64SUm+QkRUGchLMFwwQBf+djNYldVfQtg90utznAvG7LSxsMS6HMX o9u2KTYD2tB0JCNkYSvzh82NgQyH2miwnJ/Yd6zy1KZYsFoqOJIq476ems1DHoL3rm5hot p65D9sa8vawUqHZ5rJ8uWOSINWwez47qODitUTnlcnev7+wGX3vl6KiVodWQmck6TyIQdt ZEs94ehWh0xnCwr2mjrVvtFN3NmbSJqfSNSvAgrbLxCDNKBadBXBwX/3EChQJakNLR3cum VxqXYKMWmvnJ60/qsSFIu8CF1BkMWca+tn4/N9S2yeEGe8vFeZhUhBuMQ2NsFg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750881886; a=rsa-sha256; cv=none; b=m86QhQGW0p4x65BlH/YhsLv90QY1PT0m4xPoLKOSB+VfvhhyEBwbfPSklrtP/6IBL/hYGY +hGEa6d20TOj8EWmgdcpwhMgQmMjazoGKUa6c6InElD/hrxYBbCcNcsCPponY0jiCAHBLg M2s8Bylrxl/z3OOplMggy/u5+bqsoD83/0xxE28NvUKZaaeKC2KMxFXD9gIFrL4RwFXPsk zQlnYHBM2ckmeqJ70ygzL9nQlaU8cleYgmQT/QctK0Y9KNR5P56ERhAo4Dpij0xkhjLDKy /OOrfvJR+7xE8GZVYRYVMu9LycVWQXIzE11fbV47sMp746fZRl9vSeuzpeobVg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bSCTT74YmzYMS; Wed, 25 Jun 2025 20:04:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55PK4jXO080741; Wed, 25 Jun 2025 20:04:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55PK4jth080738; Wed, 25 Jun 2025 20:04:45 GMT (envelope-from git) Date: Wed, 25 Jun 2025 20:04:45 GMT Message-Id: <202506252004.55PK4jth080738@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: cd0169c9379c - main - pf: limit extra SCTP states List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: cd0169c9379c400ec75b77e87ca770e37f964276 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=cd0169c9379c400ec75b77e87ca770e37f964276 commit cd0169c9379c400ec75b77e87ca770e37f964276 Author: Kristof Provost AuthorDate: 2025-06-21 09:13:22 +0000 Commit: Kristof Provost CommitDate: 2025-06-25 20:04:15 +0000 pf: limit extra SCTP states For SCTP we create states for all combinations of endpoints, to allow multihoming to work. Malicious users could abuse this to fill our state table more easily than they otherwise could, because we create states between all combinations of endpoints. Limit this to no more than 8 extra endpoints for each side of the connection. MFC after: 2 weeks Sponsored by: Orange Business Services --- sys/netpfil/pf/pf.c | 11 +++++++++++ tests/sys/netpfil/pf/sctp.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 908f1b83e542..c162b3dd8b3c 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -205,6 +205,8 @@ VNET_DEFINE(size_t, pf_allrulecount); VNET_DEFINE(struct pf_krule *, pf_rulemarker); #endif +#define PF_SCTP_MAX_ENDPOINTS 8 + struct pf_sctp_endpoint; RB_HEAD(pf_sctp_endpoints, pf_sctp_endpoint); struct pf_sctp_source { @@ -7297,6 +7299,7 @@ pf_sctp_multihome_add_addr(struct pf_pdesc *pd, struct pf_addr *a, uint32_t v_ta }; struct pf_sctp_source *i; struct pf_sctp_endpoint *ep; + int count; PF_SCTP_ENDPOINTS_LOCK(); @@ -7315,13 +7318,21 @@ pf_sctp_multihome_add_addr(struct pf_pdesc *pd, struct pf_addr *a, uint32_t v_ta } /* Avoid inserting duplicates. */ + count = 0; TAILQ_FOREACH(i, &ep->sources, entry) { + count++; if (pf_addr_cmp(&i->addr, a, pd->af) == 0) { PF_SCTP_ENDPOINTS_UNLOCK(); return; } } + /* Limit the number of addresses per endpoint. */ + if (count >= PF_SCTP_MAX_ENDPOINTS) { + PF_SCTP_ENDPOINTS_UNLOCK(); + return; + } + i = malloc(sizeof(*i), M_PFTEMP, M_NOWAIT); if (i == NULL) { PF_SCTP_ENDPOINTS_UNLOCK(); diff --git a/tests/sys/netpfil/pf/sctp.py b/tests/sys/netpfil/pf/sctp.py index 230dbae0d327..da42ce527195 100644 --- a/tests/sys/netpfil/pf/sctp.py +++ b/tests/sys/netpfil/pf/sctp.py @@ -426,6 +426,34 @@ class TestSCTP(VnetTestTemplate): assert re.search(r"all sctp 192.0.2.4:.*192.0.2.3:1234", states) assert re.search(r"all sctp 192.0.2.4:.*192.0.2.2:1234", states) + @pytest.mark.require_user("root") + def test_limit_addresses(self): + srv_vnet = self.vnet_map["vnet2"] + + ifname = self.vnet_map["vnet1"].iface_alias_map["if1"].name + for i in range(0, 16): + ToolsHelper.print_output("/sbin/ifconfig %s inet alias 192.0.2.%d/24" % (ifname, 4 + i)) + + ToolsHelper.print_output("/sbin/pfctl -e") + ToolsHelper.pf_rules([ + "block proto sctp", + "pass on lo", + "pass inet proto sctp to 192.0.2.0/24"]) + + # Set up a connection, which will try to create states for all addresses + # we have assigned + client = SCTPClient("192.0.2.3", 1234) + client.send(b"hello", 0) + rcvd = self.wait_object(srv_vnet.pipe) + print(rcvd) + assert rcvd['ppid'] == 0 + assert rcvd['data'] == "hello" + + # But the number should be limited to 9 (original + 8 extra) + states = ToolsHelper.get_output("/sbin/pfctl -ss | grep 192.0.2.2") + print(states) + assert(states.count('\n') <= 9) + @pytest.mark.require_user("root") def test_disallow_related(self): srv_vnet = self.vnet_map["vnet2"]