The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=986abfeb9358011af892f177c102dd3249196e02
commit 986abfeb9358011af892f177c102dd3249196e02
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-16 11:58:42 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-23 13:35:43 +0000
pf: run Jumbogram check before we walk the headers
While it is safe to run pf_walk_header6() on a packet with a 0 ip6_plen
we're
better off doing this check first. It's more obviously correct, and it's a
very
simple check to reject a packet.
Suggested by: emaste
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 9517e9b8c9bc..1310445c4063 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -10149,6 +10149,15 @@ pf_setup_pdesc(sa_family_t af, int dir, struct
pf_pdesc *pd, struct mbuf **m0,
return (-1);
}
+ /*
+ * we do not support jumbogram. if we keep going, zero ip6_plen
+ * will do something bad, so drop the packet for now.
+ */
+ if (htons(h->ip6_plen) == 0) {
+ *action = PF_DROP;
+ return (-1);
+ }
+
if (pf_walk_header6(pd, h, reason) != PF_PASS) {
*action = PF_DROP;
return (-1);
@@ -10168,15 +10177,6 @@ pf_setup_pdesc(sa_family_t af, int dir, struct
pf_pdesc *pd, struct mbuf **m0,
pd->virtual_proto = (pd->fragoff != 0) ?
PF_VPROTO_FRAGMENT : pd->proto;
- /*
- * we do not support jumbogram. if we keep going, zero ip6_plen
- * will do something bad, so drop the packet for now.
- */
- if (htons(h->ip6_plen) == 0) {
- *action = PF_DROP;
- return (-1);
- }
-
/* We do IP header normalization and packet reassembly here */
if (pf_normalize_ip6(pd->fragoff, reason, pd) !=
PF_PASS) {
