On Fri, Nov 18, 2016 at 11:33:33PM +0100, Alexandr Nedvedicky wrote: > how about using 'goto free_ipv6_frag' ? It better explains, what's > going to happen.
makes sense bluhm Index: net/pf_norm.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf_norm.c,v retrieving revision 1.195 diff -u -p -r1.195 pf_norm.c --- net/pf_norm.c 26 Oct 2016 21:07:22 -0000 1.195 +++ net/pf_norm.c 21 Nov 2016 09:55:36 -0000 @@ -331,16 +331,16 @@ pf_fillup_fragment(struct pf_fragment_cm /* Non terminal fragments must have more fragments flag */ if (frent->fe_off + frent->fe_len < total && !frent->fe_mff) - goto bad_fragment; + goto free_ipv6_fragment; /* Check if we saw the last fragment already */ if (!TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_mff) { if (frent->fe_off + frent->fe_len > total || (frent->fe_off + frent->fe_len == total && frent->fe_mff)) - goto bad_fragment; + goto free_ipv6_fragment; } else { if (frent->fe_off + frent->fe_len == total && !frent->fe_mff) - goto bad_fragment; + goto free_ipv6_fragment; } /* Find a fragment after the current one */ @@ -406,7 +406,10 @@ pf_fillup_fragment(struct pf_fragment_cm return (frag); +free_ipv6_fragment: #ifdef INET6 + if (frag->fr_af == AF_INET) + goto bad_fragment; free_fragment: /* * RFC 5722, Errata 3089: When reassembling an IPv6 datagram, if one