CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2023/09/08 15:15:02
Modified files:
regress/sys/netinet6/frag6: Makefile
Added files:
regress/sys/netinet6/frag6: frag6_doubleatomic.py
Log message:
Test pf and stack with double atomic IPv6 fragments.
That means the IPv6 header chain contains two fragment header that
spawn the whole packet. Such packets are illegal and pf drops them.
Otherwise they could bypass pf rules as described in CVE-2023-4809.
OpenBSD is not affected as pf_walk_header6() drops them with "IPv6
multiple fragment" log message. This check exists since 2013 when
special support for atomic fragments was added to pf.
If pf is disabled, the IPv6 stack accepts such packets. I do not
consider this a security issue.
