pf: limit how many headers we look at
ClosedPublic
Actions

Authored by kp on Jun 3 2025, 12:48 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Fri, May 22, 9:25 AM

	Unknown Object (File)
	Tue, May 19, 12:39 AM

	Unknown Object (File)
	Sun, May 17, 3:34 PM

	Unknown Object (File)
	Sun, May 17, 10:48 AM

	Unknown Object (File)
	Sat, May 16, 7:38 PM

	Unknown Object (File)
	Thu, May 14, 2:57 PM

	Unknown Object (File)
	Sun, May 10, 9:30 AM

	Unknown Object (File)
	Wed, Apr 29, 3:32 AM

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

None

Group Reviewers

pfsense

Commits

rGdda88af8fa4e: pf: limit how many headers we look at

Summary

Limit the nested header chain for IPv6 extensions headers and for
authentication headers in the IPv4 case. This prevents spending
excessive cpu time on crafted packets.
OK henning@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 2e5bc81177
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Jun 3 2025, 12:48 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptJun 3 2025, 12:48 PM

kp requested review of this revision.Jun 3 2025, 12:48 PM

Harbormaster completed remote builds in B64608: Diff 156465.Jun 3 2025, 12:48 PM

kp added a parent revision: D50658: pf: use 'struct ah' for the AH extension header rather than 'struct ip6_ext'.Jun 3 2025, 12:48 PM

kp added a child revision: D50660: pf tests: verify header processing limit.

This revision was not accepted when it landed; it landed in state Needs Review.Jun 6 2025, 11:17 AM

Closed by commit rGdda88af8fa4e: pf: limit how many headers we look at (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rGdda88af8fa4e: pf: limit how many headers we look at.

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

pf/

pf.c

18 lines

Diff 156612

View Options

pf: limit how many headers we look atClosedPublicActions