CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2021/01/19 15:22:23
Modified files:
sys/net : if_pflog.c pf.c
Log message:
pflog(4) tried to log the translated packet with rdr-to, nat-to,
and af-to addresses and ports applied. Therefore it created a mbuf
chain on the stack with a partial copy. This is too complicated
for IP options, extension header, NAT46 af-to, and fragmented mbuf
chains. It even caused a crash in syzkaller. Usually the length
checks in pf_setup_pdesc() rejected the faked mbuf and the goto
copy logged the packet unmodified. Remove the pflog_mtap() function
and call bpf_mtap_hdr() directly. As the old buggy code was bypassed
in most cases, tcpdump(8) output of pflog does not change.
Uncondionally log the unmodified packet.
Reported-by: syzbot+947e89e06ac3fec18...@syzkaller.appspotmail.com
OK sashan@
