diff options
| author | kp <kp@FreeBSD.org> | 2019-03-01 18:12:07 +0000 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2019-05-13 16:46:26 -0300 |
| commit | fed039d3092243b82f8b05665ff26c241f04f948 (patch) | |
| tree | e0445297e0b31435d64968eb1a1c41ecbc065796 | |
| parent | ff7d4801f1b88de656e028209818ff005e8a1353 (diff) | |
| download | FreeBSD-src-fed039d3092243b82f8b05665ff26c241f04f948.zip FreeBSD-src-fed039d3092243b82f8b05665ff26c241f04f948.tar.gz | |
MFC r344691:
pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic
We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.
Reported by: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Approved by: so
Obtained from: OpenBSD
Security: CVE-2019-5597
(cherry picked from commit 7a414c941a0fca9f111c2f3d405eb16c71c8374d)
| -rw-r--r-- | sys/netpfil/pf/pf_norm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 3e01363..ca6f02b 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -660,11 +660,11 @@ pf_reassemble6(struct mbuf **m0, struct ip6_hdr *ip6, struct ip6_frag *fraghdr, } /* We have all the data. */ + frent = TAILQ_FIRST(&frag->fr_queue); + KASSERT(frent != NULL, ("frent != NULL")); extoff = frent->fe_extoff; maxlen = frag->fr_maxlen; frag_id = frag->fr_id; - frent = TAILQ_FIRST(&frag->fr_queue); - KASSERT(frent != NULL, ("frent != NULL")); total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off + TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len; hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag); |
