Page MenuHomeFreeBSD

pf: add missing IPv6 length check
ClosedPublic

Authored by kp on Jul 15 2025, 9:52 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 13, 9:33 PM
Unknown Object (File)
Mon, Oct 13, 9:33 PM
Unknown Object (File)
Mon, Oct 13, 9:33 PM
Unknown Object (File)
Mon, Oct 13, 7:58 AM
Unknown Object (File)
Sat, Oct 4, 6:49 AM
Unknown Object (File)
Sat, Sep 27, 6:42 PM
Unknown Object (File)
Sat, Sep 27, 4:23 PM
Unknown Object (File)
Sun, Sep 21, 8:28 PM

Details

Summary

We failed to verify that the packet was long enough for the provided IPv6 packet
length. This could result in us walking off the end of the mbuf and panicing.

PR: 288224
Reported by: Robert Morris <rtm@lcs.mit.edu>
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp requested review of this revision.Jul 15 2025, 9:52 AM
emaste added inline comments.
sys/netpfil/pf/pf.c
10174

Should we move this check earlier as well? (I.e., is it possible to craft a corrupt jumbogram that would crash in pf_walk_header6 because it passed the pd->m->m_pkthdr.len < sizeof(struct ip6_hdr) + ntohs(h->ip6_plen) test?

sys/netpfil/pf/pf.c
10174

There wouldn't be any harm in it, and because it's an unconditional drop it should probably be done as early as possible, but I don't think it's an issue.

pf_walk_header6() does all if its mbuf accesses via pf_pull_hdr(), which checks that we're within the mbuf bounds.

This revision is now accepted and ready to land.Jul 15 2025, 7:18 PM
This revision was automatically updated to reflect the committed changes.