The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=d62832e21a0e396470bbe072ad33496e708db582
commit d62832e21a0e396470bbe072ad33496e708db582 Author: Kristof Provost <[email protected]> AuthorDate: 2025-02-06 15:43:14 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2025-02-12 19:38:38 +0000 pf: make length overlow protection more obvious Before pulling the TCP options from the mbuf onto the stack, do an additional length check in pf_modulate_sack() and pf_normalize_mss(). Overflow cannot happen due to the restricted values in the length calculation. As this is not obvious, be better safe than sorry. OK henning@ Obtained from: OpenBSD, henning <[email protected]>, a9e7ebb0d5 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 2 +- sys/netpfil/pf/pf_norm.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 3a56e6855d6f..6fdc0996324b 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -3867,7 +3867,7 @@ pf_modulate_sack(struct pf_pdesc *pd, struct tcphdr *th, struct sackblk sack; #define TCPOLEN_SACKLEN (TCPOLEN_SACK + 2) - if (hlen < TCPOLEN_SACKLEN || + if (hlen < TCPOLEN_SACKLEN || hlen > MAX_TCPOPTLEN || !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, hlen, NULL, NULL, pd->af)) return 0; diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 7290ede8d393..6546f8684a68 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1945,8 +1945,8 @@ pf_normalize_mss(struct pf_pdesc *pd) thoff = th->th_off << 2; cnt = thoff - sizeof(struct tcphdr); - if (cnt > 0 && !pf_pull_hdr(pd->m, pd->off + sizeof(*th), opts, cnt, - NULL, NULL, pd->af)) + if (cnt <= 0 || cnt > MAX_TCPOPTLEN || !pf_pull_hdr(pd->m, + pd->off + sizeof(*th), opts, cnt, NULL, NULL, pd->af)) return (0); for (; cnt > 0; cnt -= optlen, optp += optlen) {
