Diffusion FreeBSD src repository 3bb82353b528

pf: reject hop-by-hop if it's not the first extension header
3bb82353b528
Actions

Edit Commit
Download Raw Diff
Edit Related Objects...
Edit Revisions
Mute Notifications
Flag For Later
Award Token

Description

pf: reject hop-by-hop if it's not the first extension header

The pf fragment reassembly code accepted IPv6 hop-by-hop headers
after fragment headers. Add an extra check that the hop-by-hop
header is always the first extension header after the IPv6 header.
Found by Antonios Atlasis; OK sthen@ mpi@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 17ea4b2bcd
Sponsored by: Rubicon Communications, LLC ("Netgate")

Details

Provenance

kp	Authored on May 6 2025, 9:18 AM

Parents

rG033b34069626: pf: use pd->m in pf_route() and pf_route6()

Branches

Unknown

Tags

Unknown

Event Timeline

kp committed rG3bb82353b528: pf: reject hop-by-hop if it's not the first extension header (authored by kp).May 8 2025, 1:10 PM

Changes (1)

Path

Size

sys/

netpfil/

pf/

pf.c

rG3bb82353b528

View Options