]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit
projects / FreeBSD / FreeBSD.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 10d3f76) | patch
MFC r344691:
authorkp <kp@FreeBSD.org>
Fri, 1 Mar 2019 18:12:07 +0000 (18:12 +0000)
committerkp <kp@FreeBSD.org>
Fri, 1 Mar 2019 18:12:07 +0000 (18:12 +0000)
commit7a414c941a0fca9f111c2f3d405eb16c71c8374d
tree4fbdf31a8ae22a188c6c6df06cb9e7fb6250ba8etree | snapshot
parent10d3f767e62855c52a372efb83fa83bbbdcaa6becommit | diff
MFC r344691:

pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic

We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.

Reported by: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Approved by: so
Obtained from: OpenBSD
Security: CVE-2019-5597
sys/netpfil/pf/pf_norm.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.