The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=15fa3e7ec77e113de793ad23caa35dcbf6770c9d
commit 15fa3e7ec77e113de793ad23caa35dcbf6770c9d
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-15 14:40:21 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-23 13:35:43 +0000
pf: move IPv4 packet length check up
Perform this check ("Do we have enough data for the IP length?") so it
happens
before normalisation.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 009f7e4d78b1..9517e9b8c9bc 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -10090,6 +10090,13 @@ pf_setup_pdesc(sa_family_t af, int dir, struct
pf_pdesc *pd, struct mbuf **m0,
return (-1);
}
+ h = mtod(pd->m, struct ip *);
+ if (pd->m->m_pkthdr.len < ntohs(h->ip_len)) {
+ *action = PF_DROP;
+ REASON_SET(reason, PFRES_SHORT);
+ return (-1);
+ }
+
if (pf_normalize_ip(reason, pd) != PF_PASS) {
/* We do IP header normalization and packet reassembly
here */
*m0 = pd->m;
@@ -10097,13 +10104,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct
pf_pdesc *pd, struct mbuf **m0,
return (-1);
}
*m0 = pd->m;
-
h = mtod(pd->m, struct ip *);
- if (pd->m->m_pkthdr.len < ntohs(h->ip_len)) {
- *action = PF_DROP;
- REASON_SET(reason, PFRES_SHORT);
- return (-1);
- }
if (pf_walk_header(pd, h, reason) != PF_PASS) {
*action = PF_DROP;
