svn commit: r317335 - in stable/10/sys: netinet6 netpfil/pf

Sun, 23 Apr 2017 02:00:33 -0700 

Author: kp
Date: Sun Apr 23 08:59:57 2017
New Revision: 317335
URL: https://svnweb.freebsd.org/changeset/base/317335

Log:
  MFC r317186
  
  pf: Fix possible incorrect IPv6 fragmentation
  
  When forwarding pf tracks the size of the largest fragment in a fragmented
  packet, and refragments based on this size.
  It failed to ensure that this size was a multiple of 8 (as is required for all
  but the last fragment), so it could end up generating incorrect fragments.
  
  For example, if we received an 8 byte and 12 byte fragment pf would emit a 
first
  fragment with 12 bytes of payload and the final fragment would claim to be at
  offset 8 (not 12).
  
  We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so
  other users won't make the same mistake.
  
  Reported by:    Antonios Atlasis <aatlasis at secfu net>

Modified:
  stable/10/sys/netinet6/ip6_output.c
  stable/10/sys/netpfil/pf/pf_norm.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netinet6/ip6_output.c
==============================================================================
--- stable/10/sys/netinet6/ip6_output.c Sun Apr 23 08:59:35 2017        
(r317334)
+++ stable/10/sys/netinet6/ip6_output.c Sun Apr 23 08:59:57 2017        
(r317335)
@@ -219,6 +219,8 @@ ip6_fragment(struct ifnet *ifp, struct m
        int error;
        int tlen = m0->m_pkthdr.len;
 
+       KASSERT(( mtu % 8 == 0), ("Fragment length must be a multiple of 8"));
+
        m = m0;
        ip6 = mtod(m, struct ip6_hdr *);
        mnext = &m->m_nextpkt;

Modified: stable/10/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_norm.c  Sun Apr 23 08:59:35 2017        
(r317334)
+++ stable/10/sys/netpfil/pf/pf_norm.c  Sun Apr 23 08:59:57 2017        
(r317335)
@@ -1128,6 +1128,10 @@ pf_refragment6(struct ifnet *ifp, struct
                hdr->ip6_nxt = IPPROTO_FRAGMENT;
        }
 
+       /* The MTU must be a multiple of 8 bytes, or we risk doing the
+        * fragmentation wrong. */
+       maxlen = maxlen & ~7;
+
        /*
         * Maxlen may be less than 8 if there was only a single
         * fragment.  As it was fragmented before, add a fragment
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"

Reply via email to