mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-04 07:31:11 +00:00
pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic
We mistakenly used the extoff value from the last packet to patch the next_header field. If a malicious host sends a chain of fragmented packets where the first packet and the final packet have different lengths or number of extension headers we'd patch the next_header at the wrong offset. This can potentially lead to panics or rule bypasses. Security: CVE-2019-5597 Obtained from: OpenBSD Reported by: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
This commit is contained in:
parent
b8da50d526
commit
6f4909de5f
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=344691
|
@ -836,11 +836,11 @@ pf_reassemble6(struct mbuf **m0, struct ip6_hdr *ip6, struct ip6_frag *fraghdr,
|
|||
}
|
||||
|
||||
/* We have all the data. */
|
||||
frent = TAILQ_FIRST(&frag->fr_queue);
|
||||
KASSERT(frent != NULL, ("frent != NULL"));
|
||||
extoff = frent->fe_extoff;
|
||||
maxlen = frag->fr_maxlen;
|
||||
frag_id = frag->fr_id;
|
||||
frent = TAILQ_FIRST(&frag->fr_queue);
|
||||
KASSERT(frent != NULL, ("frent != NULL"));
|
||||
total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off +
|
||||
TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len;
|
||||
hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag);
|
||||
|
|
Loading…
Reference in a new issue