Page MenuHomeFreeBSD
Differential D40395

netinet: re-read IP length after PFIL hook
ClosedPublic
Actions

Authored by kp on Jun 2 2023, 7:27 PM.
Tags
None
Referenced Files
F86906229: D40395.id.diff
Thu, Jun 27, 7:31 AM
F86892379: D40395.diff
Thu, Jun 27, 3:26 AM
F86892378: D40395.diff
Thu, Jun 27, 3:26 AM
F86892377: D40395.diff
Thu, Jun 27, 3:26 AM
F86892376: D40395.diff
Thu, Jun 27, 3:26 AM
F86892373: D40395.diff
Thu, Jun 27, 3:26 AM
F86892371: D40395.diff
Thu, Jun 27, 3:26 AM
Unknown Object (File)
Fri, Jun 21, 11:08 PM
View All 48 Files
Subscribers
cy
glebius
imp
melifaro
mjg

Details

Reviewers
cy
Group Reviewers
network
pfsense
Commits
rGd0076c7a8653: netinet: re-read IP length after PFIL hook
rG0da2f02c1b2a: netinet: re-read IP length after PFIL hook
rG185c1cddd7ef: netinet: re-read IP length after PFIL hook
Summary

The pfil hook may modify the packet, so before we check its length (to
decide if it needs to be fragmented or not) we should re-read that
length.

This is most likely to happen when pf is reassembling packets. In that
scenario we'd receive the last fragment, which is likely to be a short
packet, pf would reassemble it (likely exceeding the interface MTU) and
then we'd transmit it without fragmenting, because we're comparing the
MTU to the length of the last fragment, not the fully reassembled
packet.

See also: https://redmine.pfsense.org/issues/14396
MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Jun 2 2023, 7:27 PM
Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptJun 2 2023, 7:27 PM
kp requested review of this revision.Jun 2 2023, 7:27 PM
Harbormaster completed remote builds in B51866: Diff 122768.Jun 2 2023, 7:27 PM
kp added a child revision: D40396: pf tests: test reassembly in the slow path.Jun 2 2023, 7:28 PM
mjg added a subscriber: mjg.Jun 2 2023, 8:20 PM

so the reload is only needed if hooks are present to begin with? as in it should get hoisted up

what about other fields:

ip = mtod(m, struct ip *);
ip_len = ntohs(ip->ip_len);
ip_off = ntohs(ip->ip_off);

ip is is already getting reloaded

kp mentioned this in D40397: if_epair: do not transmit packets that exceed the interface MTU.Jun 3 2023, 9:53 AM
kp updated this revision to Diff 122793.Jun 3 2023, 11:07 AM
  • move re-read of ip_len to only be done when we run pfil hooks.
Harbormaster completed remote builds in B51882: Diff 122793.Jun 3 2023, 11:07 AM
cy accepted this revision.Jun 5 2023, 3:20 PM
cy added a subscriber: cy.

LGTM

This revision is now accepted and ready to land.Jun 5 2023, 3:20 PM
Closed by commit rG185c1cddd7ef: netinet: re-read IP length after PFIL hook (authored by kp). · Explain WhyJun 6 2023, 8:53 AM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG185c1cddd7ef: netinet: re-read IP length after PFIL hook.
kp added a commit: rGd0076c7a8653: netinet: re-read IP length after PFIL hook.Jun 28 2023, 9:16 AM
kp added a commit: rG0da2f02c1b2a: netinet: re-read IP length after PFIL hook.

Revision Contents
Changeset List

PathSize
sys/
netinet/
1 line

Diff 122879

View Options

sys/netinet/ip_output.c

Loading...