Page MenuHomeFreeBSD
Differential D57095

ipfilter: Validate length before checksum
ClosedPublic
Actions

Authored by cy on May 19 2026, 3:46 PM.
Tags
None
Referenced Files
F160703800: D57095.diff
Fri, Jun 26, 11:45 PM
Unknown Object (File)
Thu, Jun 18, 9:05 AM
Unknown Object (File)
Wed, Jun 17, 12:34 PM
Unknown Object (File)
Tue, Jun 9, 6:25 AM
Unknown Object (File)
Sun, Jun 7, 2:19 PM
Unknown Object (File)
Sun, Jun 7, 2:14 PM
Unknown Object (File)
Sun, Jun 7, 1:20 AM
Unknown Object (File)
Sun, Jun 7, 1:16 AM
View All 38 Files
Subscribers
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
markj
glebius
Commits
rGf296b1fd3e9a: ipfilter: Validate length before checksum
rG77dd10b2408e: ipfilter: Validate length before checksum
rG8dfb0805fc31: ipfilter: Validate length before checksum
Summary

Validate the length of the packet listed in the mbuf is the same as
the calculated packet length. If not reject the packet and bump the
bad packet stat.

PR: 295198
MFC after: 3 days

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

cy created this revision.May 19 2026, 3:46 PM
Herald added subscribers: vegeta_tuxpowered.net, melifaro, imp. · View Herald TranscriptMay 19 2026, 3:46 PM
cy requested review of this revision.May 19 2026, 3:46 PM
Harbormaster completed remote builds in B73227: Diff 178111.May 19 2026, 3:46 PM
markj added a comment.May 19 2026, 11:42 PM

I ran this through the test suite and didn't see any problems, so it's ok with me. I wasn't able to reproduce the crash consistently before, only quite rarely, so it's hard to say that the problem is fixed for sure.

At a glance it's not clear to me that fin->fin_m is always going to have a mbuf header, i.e., that fin->fin_m->m_pkthdr will be valid.

cy added a comment.May 20 2026, 12:11 AM
In D57095#1308692, @markj wrote:

I ran this through the test suite and didn't see any problems, so it's ok with me. I wasn't able to reproduce the crash consistently before, only quite rarely, so it's hard to say that the problem is fixed for sure.

At a glance it's not clear to me that fin->fin_m is always going to have a mbuf header, i.e., that fin->fin_m->m_pkthdr will be valid.

It may not always have an mbuf header. That field is set to NULL when ipfilter creates its own packet. This is why the test for fin->fin_m != NULL. Otherwise a packet header will always be present. This has been running on my internet gateway for over a week.

cy updated this revision to Diff 178179.May 20 2026, 4:32 AM

Apply markj's suggestion, test for valid packet header.

Harbormaster completed remote builds in B73267: Diff 178179.May 20 2026, 4:32 AM
This revision was not accepted when it landed; it landed in state Needs Review.May 20 2026, 3:36 PM
Closed by commit rG8dfb0805fc31: ipfilter: Validate length before checksum (authored by cy). · Explain Why
This revision was automatically updated to reflect the committed changes.
cy added a commit: rG8dfb0805fc31: ipfilter: Validate length before checksum.
cy added a commit: rG77dd10b2408e: ipfilter: Validate length before checksum.May 27 2026, 1:41 PM
cy added a commit: rGf296b1fd3e9a: ipfilter: Validate length before checksum.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
ipfilter/
netinet/
17 lines

Diff 178213

View Options

sys/netpfil/ipfilter/netinet/fil.c

Loading...