CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Kristof Provost <kp@FreeBSD.org>
	Thu, 13 Jul 2023 08:25:49 +0000 (10:25 +0200)
committer	Gordon Tetlow <gordon@FreeBSD.org>
	Wed, 6 Sep 2023 16:58:39 +0000 (09:58 -0700)
commit	41b7760991efda33f696c45d9eeaefd8bc63a847
tree	98bf18dfcf60e45e3ef2dda37a0828dd0e9f65a1	tree \| snapshot
parent	902c13c4cf689db74ed85879f8fa523bb71f74de	commit \| diff

pf: handle multiple IPv6 fragment headers

With 'scrub fragment reassemble' if a packet contains multiple IPv6
fragment headers we would reassemble the packet and immediately
continue processing it.

That is, we'd remove the first fragment header and expect the next
header to be a final header (i.e. TCP, UDP, ICMPv6, ...). However, if
it's another fragment header we'd not treat the packet correctly.
That is, we'd fail to recognise the payload and treat it as if it were
an IPv6 fragment rather than as its actual payload.

Fix this by restarting the normalisation on the reassembled packet.
If there are multiple fragment headers drop the packet.

Reported by: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Approved by: so
Security: FreeBSD-SA-23:10.pf
Security: CVE-2023-4809

(cherry picked from commit 76afcbb52492f9b3e72ee7d4c4ed0a54c25e1c48)
(cherry picked from commit 3a0461f23a4f4fe8fc82b3445285d3d07787b016)