The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=6c5c91a039c77244dac38f638a8e2323ae78ff3d
commit 6c5c91a039c77244dac38f638a8e2323ae78ff3d
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2024-11-21 14:53:28 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2024-12-17 10:07:16 +0000
pf: update pd->tot_len after reassembly
Ensure that the packet length we track in struct pf_pdesc matches the
reassembled packet size.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47803
---
sys/netpfil/pf/pf_norm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 350392623123..cea6f9e72638 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1198,6 +1198,7 @@ pf_normalize_ip(struct mbuf **m0, u_short *reason,
return (PF_DROP);
h = mtod(pd->m, struct ip *);
+ pd->tot_len = htons(h->ip_len);
no_fragment:
/* At this point, only IP_DF is allowed in ip_off */
@@ -1228,6 +1229,7 @@ pf_normalize_ip6(struct mbuf **m0, int off, u_short
*reason,
struct pf_pdesc *pd)
{
struct pf_krule *r;
+ struct ip6_hdr *h;
struct ip6_frag frag;
bool scrub_compat;
@@ -1294,6 +1296,8 @@ pf_normalize_ip6(struct mbuf **m0, int off, u_short
*reason,
pd->m = *m0;
if (pd->m == NULL)
return (PF_DROP);
+ h = mtod(pd->m, struct ip6_hdr *);
+ pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
}
return (PF_PASS);
