opnsense/src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-04 03:00:53 -06:00
Code Issues Packages Projects Releases Wiki Activity

pf: do not keep state when dropping overlapping IPv6 fragments

Browse Source 
ok sperreault@

Obtained from:	OpenBSD, bluhm <bluhm@openbsd.org>, cd45765685
Sponsored by:	Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 3b79f6d2d39405bcac395dc036ceb6f8fd09ce99)
This commit is contained in:
Kristof Provost 2025-01-09 14:11:11 +01:00 committed by Franco Fichtner
parent 7386d91261
commit ebfe6da010
1 changed files with 8 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sys/netpfil/pf/pf_norm.c
View File

@ -606,15 +606,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
return (frag);
}
if (TAILQ_EMPTY(&frag->fr_queue)) {
/*
* Overlapping IPv6 fragments have been detected. Do not
* reassemble packet but also drop future fragments.
* This will be done for this ident/src/dst combination
* until fragment queue timeout.
*/
goto drop_fragment;
}
KASSERT(!TAILQ_EMPTY(&frag->fr_queue), ("!TAILQ_EMPTY()->fr_queue"));
/* Remember maximum fragment len for refragmentation. */
if (frent->fe_len > frag->fr_maxlen)
@ -651,7 +643,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
uint16_t precut;
if (frag->fr_af == AF_INET6)
goto flush_fragentries;
goto free_fragment;
precut = prev->fe_off + prev->fe_len - frent->fe_off;
if (precut >= frent->fe_len) {
@ -715,21 +707,15 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
return (frag);
flush_fragentries:
free_fragment:
/*
* RFC5722: When reassembling an IPv6 datagram, if one or
* more its constituent fragments is determined to be an
* overlapping fragment, the entire datagram (and any constituent
* fragments, including those not yet received) MUST be
* silently discarded.
* RFC 5722, Errata 3089: When reassembling an IPv6 datagram, if one
* or more its constituent fragments is determined to be an overlapping
* fragment, the entire datagram (and any constituent fragments) MUST
* be silently discarded.
*/
DPFPRINTF(("flush overlapping fragments\n"));
while ((prev = TAILQ_FIRST(&frag->fr_queue)) != NULL) {
TAILQ_REMOVE(&frag->fr_queue, prev, fr_next);
m_freem(prev->fe_m);
uma_zfree(V_pf_frent_z, prev);
}
pf_free_fragment(frag);
bad_fragment:
REASON_SET(reason, PFRES_FRAG);