Author: kp Date: Fri Mar 1 18:12:07 2019 New Revision: 344707 URL: https://svnweb.freebsd.org/changeset/base/344707
Log: MFC r344691: pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic We mistakenly used the extoff value from the last packet to patch the next_header field. If a malicious host sends a chain of fragmented packets where the first packet and the final packet have different lengths or number of extension headers we'd patch the next_header at the wrong offset. This can potentially lead to panics or rule bypasses. Reported by: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv Approved by: so Obtained from: OpenBSD Security: CVE-2019-5597 Modified: stable/11/sys/netpfil/pf/pf_norm.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netpfil/pf/pf_norm.c ============================================================================== --- stable/11/sys/netpfil/pf/pf_norm.c Fri Mar 1 18:12:05 2019 (r344706) +++ stable/11/sys/netpfil/pf/pf_norm.c Fri Mar 1 18:12:07 2019 (r344707) @@ -659,11 +659,11 @@ pf_reassemble6(struct mbuf **m0, struct ip6_hdr *ip6, } /* We have all the data. */ + frent = TAILQ_FIRST(&frag->fr_queue); + KASSERT(frent != NULL, ("frent != NULL")); extoff = frent->fe_extoff; maxlen = frag->fr_maxlen; frag_id = frag->fr_id; - frent = TAILQ_FIRST(&frag->fr_queue); - KASSERT(frent != NULL, ("frent != NULL")); total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off + TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len; hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag); _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"