Hi, In his talk in 2013 Antonios Atlasis found other places where we do not drop the whole state together with overlapping IPv6 fragments.
https://www.troopers.de/wp-content/uploads/2013/01/TROOPERS13-Fragmentation_Overlapping_Attacks_Against_IPv6_One_Year_Later-Antonios_Atlasis.pdf When I implemented this, I thought these are just invalid fragments. But they can be overlapping and it makes sense to follow RFC 5722 more strictly here. Drop the whole fragment state if IPv6 fragments appear which have invalid length, fragment-offset or more-fragment-bit. ok? bluhm Index: net/pf_norm.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf_norm.c,v retrieving revision 1.195 diff -u -p -r1.195 pf_norm.c --- net/pf_norm.c 26 Oct 2016 21:07:22 -0000 1.195 +++ net/pf_norm.c 17 Nov 2016 13:47:35 -0000 @@ -331,16 +331,16 @@ pf_fillup_fragment(struct pf_fragment_cm /* Non terminal fragments must have more fragments flag */ if (frent->fe_off + frent->fe_len < total && !frent->fe_mff) - goto bad_fragment; + goto overlap_fragment; /* Check if we saw the last fragment already */ if (!TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_mff) { if (frent->fe_off + frent->fe_len > total || (frent->fe_off + frent->fe_len == total && frent->fe_mff)) - goto bad_fragment; + goto overlap_fragment; } else { if (frent->fe_off + frent->fe_len == total && !frent->fe_mff) - goto bad_fragment; + goto overlap_fragment; } /* Find a fragment after the current one */ @@ -406,7 +406,10 @@ pf_fillup_fragment(struct pf_fragment_cm return (frag); +overlap_fragment: #ifdef INET6 + if (frag->fr_af == AF_INET) + goto bad_fragment; free_fragment: /* * RFC 5722, Errata 3089: When reassembling an IPv6 datagram, if one
