summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2009-04-11 23:42:06 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2009-04-11 23:42:06 +0000
commit5ea5c26336c06656aaae78699bf850f6b53cbd57 (patch)
tree9e81ace19b6c572da4ad6fbc64dbea2fd4ad3dbb
parent178d9835485d0a2ff24cc1713337c8c654d7eb56 (diff)
Avoid dereferencing a null pointer when pf attempts to translate a
specifically crafted IP datagram. Problem noted by Sebastian Rother. ok henning@ mcbride@ sthen@
-rw-r--r--sys/net/pf.c18
1 files changed, 17 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 81c3ca3eab1..9b9b0b3cd2c 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.640 2009/04/06 12:05:55 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.641 2009/04/11 23:42:05 jsing Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -5549,6 +5549,15 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
break;
}
+#ifdef INET6
+ case IPPROTO_ICMPV6: {
+ action = PF_DROP;
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: dropping IPv4 packet with ICMPv6 payload\n"));
+ goto done;
+ }
+#endif
+
default:
action = pf_test_state_other(&s, dir, kif, m, &pd);
if (action == PF_PASS) {
@@ -5920,6 +5929,13 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
break;
}
+ case IPPROTO_ICMP: {
+ action = PF_DROP;
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: dropping IPv6 packet with ICMPv4 payload\n"));
+ goto done;
+ }
+
case IPPROTO_ICMPV6: {
union {
struct icmp6_hdr icmp6;