[Bug 295198] ipfilter apparently doesn't validate packet lengths

Mon, 11 May 2026 06:33:51 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295198

            Bug ID: 295198
           Summary: ipfilter apparently doesn't validate packet lengths
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: [email protected]
          Reporter: [email protected]

I saw a crash while running the test suite:

panic: in6_cksum_partial_l2: mbuf len (51) < off(40)+len(512)                   
cpuid = 8                                                                       
time = 1778434309                                                               
KDB: stack backtrace:                                                           
db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe00f11d7c70  
kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe00f11d7dd0                  
vpanic() at vpanic+0x214/frame 0xfffffe00f11d7f70                               
panic() at panic+0xb5/frame 0xfffffe00f11d8030                                  
in6_cksum_partial_l2() at in6_cksum_partial_l2+0x37e/frame 0xfffffe00f11d8120   
fr_cksum() at fr_cksum+0x155/frame 0xfffffe00f11d8180                           
ipf_checkl4sum() at ipf_checkl4sum+0x144/frame 0xfffffe00f11d81c0               
ipf_checkv6sum() at ipf_checkv6sum+0x81/frame 0xfffffe00f11d81f0                
ipf_makefrip() at ipf_makefrip+0x2396/frame 0xfffffe00f11d8350                  
ipf_check() at ipf_check+0x3c4/frame 0xfffffe00f11d85f0                         
ipf_check_wrapper6() at ipf_check_wrapper6+0xd3/frame 0xfffffe00f11d8650        
pfil_mbuf_in() at pfil_mbuf_in+0x7c/frame 0xfffffe00f11d8690                    
ip6_input() at ip6_input+0xbdd/frame 0xfffffe00f11d88b0                         
netisr_dispatch_src() at netisr_dispatch_src+0x1aa/frame 0xfffffe00f11d8990     
ether_demux() at ether_demux+0x301/frame 0xfffffe00f11d8a50                     
ether_nh_input() at ether_nh_input+0x6ec/frame 0xfffffe00f11d8b30               
netisr_dispatch_src() at netisr_dispatch_src+0x1aa/frame 0xfffffe00f11d8c10     
ether_input() at ether_input+0x1ac/frame 0xfffffe00f11d8cf0                     
epair_tx_start_deferred() at epair_tx_start_deferred+0x140/frame
0xfffffe00f11d8d50                                                              
taskqueue_run_locked() at taskqueue_run_locked+0x3c2/frame 0xfffffe00f11d8eb0   
taskqueue_thread_loop() at taskqueue_thread_loop+0x138/frame 0xfffffe00f11d8ef0 
fork_exit() at fork_exit+0xa3/frame 0xfffffe00f11d8f30                          
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00f11d8f30               
--- trap 0x5be18f56, rip = 0x10b55be18f96, rsp = 0x10b55be18fc6, rbp =
0x10b55be18ee6 ---

The basic problem here is:
(gdb) frame 25
#25 ipf_makefrip (hlen=hlen@entry=40, ip=ip@entry=0xfffffe00f40c456e,
fin=fin@entry=0xfffffe00f11d8410) at
/home/markj/sb/main/src/sys/netpfil/ipfilter/netinet/fil.c:2029
2029                    ipf_pr_ipv6hdr(fin);
(gdb) p fin->fin_plen 
$17 = 552
(gdb) p fin->fin_m->m_pkthdr.len
$18 = 51

That is, the packet's IPv6 header says the packet is longer than it actually
is.  This causes an underflow in fr_cksum() which causes the panic. 
Surprisingly I cannot find any code in ipfilter which actually checks for this
condition.  Of course, ip6_input() does, but that happens after pfil hooks run.

So I presume we should add a check for this, presumably in ipf_makefrip(),
after the protocol-specific packet length field is extracted.  But who knows
what other validation is missing.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to