On Fri, Nov 18, 2016 at 11:33:33PM +0100, Alexandr Nedvedicky wrote:
> how about using 'goto free_ipv6_frag' ? It better explains, what's
> going to happen.
makes sense
bluhm
Index: net/pf_norm.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.195
diff -u -p -r1.195 pf_norm.c
--- net/pf_norm.c 26 Oct 2016 21:07:22 -0000 1.195
+++ net/pf_norm.c 21 Nov 2016 09:55:36 -0000
@@ -331,16 +331,16 @@ pf_fillup_fragment(struct pf_fragment_cm
/* Non terminal fragments must have more fragments flag */
if (frent->fe_off + frent->fe_len < total && !frent->fe_mff)
- goto bad_fragment;
+ goto free_ipv6_fragment;
/* Check if we saw the last fragment already */
if (!TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_mff) {
if (frent->fe_off + frent->fe_len > total ||
(frent->fe_off + frent->fe_len == total && frent->fe_mff))
- goto bad_fragment;
+ goto free_ipv6_fragment;
} else {
if (frent->fe_off + frent->fe_len == total && !frent->fe_mff)
- goto bad_fragment;
+ goto free_ipv6_fragment;
}
/* Find a fragment after the current one */
@@ -406,7 +406,10 @@ pf_fillup_fragment(struct pf_fragment_cm
return (frag);
+free_ipv6_fragment:
#ifdef INET6
+ if (frag->fr_af == AF_INET)
+ goto bad_fragment;
free_fragment:
/*
* RFC 5722, Errata 3089: When reassembling an IPv6 datagram, if one
