diff options
| author | kp <kp@FreeBSD.org> | 2017-04-23 08:58:50 +0000 |
|---|---|---|
| committer | kp <kp@FreeBSD.org> | 2017-04-23 08:58:50 +0000 |
| commit | 573c4b124ffed246bfbbb7b0d6a99245b7036a71 (patch) | |
| tree | a0123f3877952e9833b0918f2a47f12f4b90304c /sys/netinet6 | |
| parent | 703772c814eedcb43057d622868a158f654ffdad (diff) | |
| download | FreeBSD-src-573c4b124ffed246bfbbb7b0d6a99245b7036a71.zip FreeBSD-src-573c4b124ffed246bfbbb7b0d6a99245b7036a71.tar.gz | |
MFC r317186
pf: Fix possible incorrect IPv6 fragmentation
When forwarding pf tracks the size of the largest fragment in a fragmented
packet, and refragments based on this size.
It failed to ensure that this size was a multiple of 8 (as is required for all
but the last fragment), so it could end up generating incorrect fragments.
For example, if we received an 8 byte and 12 byte fragment pf would emit a first
fragment with 12 bytes of payload and the final fragment would claim to be at
offset 8 (not 12).
We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so
other users won't make the same mistake.
Reported by: Antonios Atlasis <aatlasis at secfu net>
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/ip6_output.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 58bc645..962fee3 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -225,6 +225,8 @@ ip6_fragment(struct ifnet *ifp, struct mbuf *m0, int hlen, u_char nextproto, int error; int tlen = m0->m_pkthdr.len; + KASSERT(( mtu % 8 == 0), ("Fragment length must be a multiple of 8")); + m = m0; ip6 = mtod(m, struct ip6_hdr *); mnext = &m->m_nextpkt; |
