diff options
author | bluhm <bluhm@openbsd.org> | 2016-11-21 17:52:20 +0000 |
---|---|---|
committer | bluhm <bluhm@openbsd.org> | 2016-11-21 17:52:20 +0000 |
commit | f0f63321f28f76a02dac8db178f3e8915d33fe2c (patch) | |
tree | d809fb8b1b590c2fd6f52b48c4c64faf209e8791 | |
parent | Add ability to change media type (diff) | |
download | wireguard-openbsd-f0f63321f28f76a02dac8db178f3e8915d33fe2c.tar.xz wireguard-openbsd-f0f63321f28f76a02dac8db178f3e8915d33fe2c.zip |
Follow RFC 5722 more strictly when handling overlapping fragments
in pf. Drop the whole fragment state if IPv6 fragments appear which
have invalid length or fragment-offset or more-fragment-bit. In
IPv4 they are considered invalid and just dropped like before.
Found by Antonios Atlasis; OK sashan@ sthen@
-rw-r--r-- | sys/net/pf_norm.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 6a68280d54b..b8741645baf 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.195 2016/10/26 21:07:22 bluhm Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.196 2016/11/21 17:52:20 bluhm Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -331,16 +331,16 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent, /* Non terminal fragments must have more fragments flag */ if (frent->fe_off + frent->fe_len < total && !frent->fe_mff) - goto bad_fragment; + goto free_ipv6_fragment; /* Check if we saw the last fragment already */ if (!TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_mff) { if (frent->fe_off + frent->fe_len > total || (frent->fe_off + frent->fe_len == total && frent->fe_mff)) - goto bad_fragment; + goto free_ipv6_fragment; } else { if (frent->fe_off + frent->fe_len == total && !frent->fe_mff) - goto bad_fragment; + goto free_ipv6_fragment; } /* Find a fragment after the current one */ @@ -406,7 +406,10 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent, return (frag); +free_ipv6_fragment: #ifdef INET6 + if (frag->fr_af == AF_INET) + goto bad_fragment; free_fragment: /* * RFC 5722, Errata 3089: When reassembling an IPv6 datagram, if one |