Index: head/tests/sys/netpfil/pf/CVE-2019-5597.py
===================================================================
--- head/tests/sys/netpfil/pf/CVE-2019-5597.py	(nonexistent)
+++ head/tests/sys/netpfil/pf/CVE-2019-5597.py	(revision 344692)
@@ -0,0 +1,35 @@
+#!/usr/local/bin/python2.7
+
+import random
+import scapy.all as sp
+import sys
+
+UDP_PROTO  = 17
+AH_PROTO   = 51
+FRAG_PROTO = 44
+
+def main():
+    intf = sys.argv[1]
+    ipv6_src = sys.argv[2]
+    ipv6_dst = sys.argv[3]
+
+    ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src)
+
+    padding = 8
+    fid = random.randint(0,100000)
+    frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0)
+    frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8)
+    
+    pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \
+            / sp.Raw('XXXX' * 199) \
+            / sp.AH(nh=FRAG_PROTO, payloadlen=1) \
+            / frag_1
+
+    pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding)
+    pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding)
+
+    sp.sendp(pkt0, iface=intf, verbose=False)
+    sp.sendp(pkt1, iface=intf, verbose=False)
+
+if __name__ == '__main__':
+	main()

Property changes on: head/tests/sys/netpfil/pf/CVE-2019-5597.py
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: head/tests/sys/netpfil/pf/Makefile
===================================================================
--- head/tests/sys/netpfil/pf/Makefile	(revision 344691)
+++ head/tests/sys/netpfil/pf/Makefile	(revision 344692)
@@ -1,27 +1,29 @@
 # $FreeBSD$
 
 PACKAGE=	tests
 
 TESTSDIR=       ${TESTSBASE}/sys/netpfil/pf
 TESTS_SUBDIRS+=	ioctl
 
 ATF_TESTS_SH+=	anchor \
 		pass_block \
 		forward \
 		fragmentation \
 		names \
 		nat \
 		set_tos \
 		rdr \
 		route_to \
 		synproxy \
 		set_skip \
 		pfsync
 
 ${PACKAGE}FILES+=	utils.subr \
 			echo_inetd.conf \
-			pft_ping.py
+			pft_ping.py \
+			CVE-2019-5597.py
 
 ${PACKAGE}FILESMODE_pft_ping.py=	0555
+${PACKAGE}FILESMODE_CVE-2019-5597.py=	0555
 
 .include <bsd.test.mk>
Index: head/tests/sys/netpfil/pf/fragmentation.sh
===================================================================
--- head/tests/sys/netpfil/pf/fragmentation.sh	(revision 344691)
+++ head/tests/sys/netpfil/pf/fragmentation.sh	(revision 344692)
@@ -1,118 +1,123 @@
 # $FreeBSD$
 
 . $(atf_get_srcdir)/utils.subr
 
 atf_test_case "too_many_fragments" "cleanup"
 
 too_many_fragments_head()
 {
 	atf_set descr 'IPv4 fragment limitation test'
 	atf_set require.user root
 }
 
 too_many_fragments_body()
 {
 	pft_init
 
 	epair=$(pft_mkepair)
 	pft_mkjail alcatraz ${epair}a
 
 	ifconfig ${epair}b inet 192.0.2.1/24 up
 	jexec alcatraz ifconfig ${epair}a 192.0.2.2/24 up
 
 	ifconfig ${epair}b mtu 200
 	jexec alcatraz ifconfig ${epair}a mtu 200
 
 	jexec alcatraz pfctl -e
 	pft_set_rules alcatraz \
 		"scrub all fragment reassemble"
 
 	# So we know pf is limiting things
 	jexec alcatraz sysctl net.inet.ip.maxfragsperpacket=1024
 
 	# Sanity check
 	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
 
 	# We can ping with < 64 fragments
 	atf_check -s exit:0 -o ignore ping -c 1 -s 800 192.0.2.2
 
 	# Too many fragments should fail
 	atf_check -s exit:2 -o ignore ping -c 1 -s 20000 192.0.2.2
 }
 
 too_many_fragments_cleanup()
 {
 	pft_cleanup
 }
 
 atf_test_case "v6" "cleanup"
 v6_head()
 {
 	atf_set descr 'IPv6 fragmentation test'
 	atf_set require.user root
 	atf_set require.progs scapy
 }
 
 v6_body()
 {
 	pft_init
 
 	epair_send=$(pft_mkepair)
 	epair_link=$(pft_mkepair)
 
 	pft_mkjail alcatraz ${epair_send}b ${epair_link}a
 	pft_mkjail singsing ${epair_link}b
 
 	ifconfig ${epair_send}a inet6 2001:db8:42::1/64 no_dad up
 
 	jexec alcatraz ifconfig ${epair_send}b inet6 2001:db8:42::2/64 no_dad up
 	jexec alcatraz ifconfig ${epair_link}a inet6 2001:db8:43::2/64 no_dad up
 	jexec alcatraz sysctl net.inet6.ip6.forwarding=1
 
 	jexec singsing ifconfig ${epair_link}b inet6 2001:db8:43::3/64 no_dad up
 	jexec singsing route add -6 2001:db8:42::/64 2001:db8:43::2
 	route add -6 2001:db8:43::/64 2001:db8:42::2
 
 	jexec alcatraz ifconfig ${epair_send}b inet6 -ifdisabled
 	jexec alcatraz ifconfig ${epair_link}a inet6 -ifdisabled
 	jexec singsing ifconfig ${epair_link}b inet6 -ifdisabled
 	ifconfig ${epair_send}a inet6 -ifdisabled
 
 	jexec alcatraz pfctl -e
 	pft_set_rules alcatraz \
 		"scrub fragment reassemble" \
 		"block in" \
 		"pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
 		"pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }"
 
 	# Host test
 	atf_check -s exit:0 -o ignore \
 		ping6 -c 1 2001:db8:42::2
 
 	atf_check -s exit:0 -o ignore \
 		ping6 -c 1 -s 4500 2001:db8:42::2
 
 	atf_check -s exit:0 -o ignore\
 		ping6 -c 1 -b 70000 -s 65000 2001:db8:42::2
 
 	# Forwarding test
 	atf_check -s exit:0 -o ignore \
 		ping6 -c 1 2001:db8:43::3
 
 	atf_check -s exit:0 -o ignore \
 		ping6 -c 1 -s 4500 2001:db8:43::3
 
 	atf_check -s exit:0 -o ignore\
 		ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3
+
+	$(atf_get_srcdir)/CVE-2019-5597.py \
+		${epair_send}a \
+		2001:db8:42::1 \
+		2001:db8:43::3
 }
 
 v6_cleanup()
 {
 	pft_cleanup
 }
 
 atf_init_test_cases()
 {
 	atf_add_test_case "too_many_fragments"
 	atf_add_test_case "v6"
 }