The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a00d0cad0aab8aee22521cd753fa9a1bab6d6531
commit a00d0cad0aab8aee22521cd753fa9a1bab6d6531
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-18 13:04:18 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-23 13:35:46 +0000
pf: handle truncated IP options in ICMP
In pf the kernel paniced if IP options in packet within ICMP payload
were truncated. Drop such packets instead.
Reported-by: syzbot+91abd3aa2fdfe900f...@syzkaller.appspotmail.com
OK sashan@ claudio@
Obtained from: OpenBSD, bluhm <bl...@openbsd.org>, 0271abd8e4
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 20641fbcbce4..9ef69ee09bb8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9805,6 +9805,13 @@ pf_walk_option(struct pf_pdesc *pd, struct ip *h, int
off, int end,
{
uint8_t type, length, opts[15 * 4 - sizeof(struct ip)];
+ /* IP header in payload of ICMP packet may be too short */
+ if (pd->m->m_pkthdr.len < end) {
+ DPFPRINTF(PF_DEBUG_MISC, ("IP option too short\n"));
+ REASON_SET(reason, PFRES_SHORT);
+ return (PF_DROP);
+ }
+
MPASS(end - off <= sizeof(opts));
m_copydata(pd->m, off, end - off, opts);
end -= off;
