summaryrefslogtreecommitdiff
path: root/sys/net/pf.c
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2007-06-15 08:19:00 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2007-06-15 08:19:00 +0000
commit35246e47ec18c704be9c8cc1633d3fd0cf84269c (patch)
tree1dbfe40b0d6c3b663df5e9a25ea54cf09b4dc3ee /sys/net/pf.c
parent4e3bfca1c17c42dd0ed6639e69f058002c48c98a (diff)
in pf_test_rule, before handling IPPROTO_ICMP / IPPROTO_ICMPV6, check that
the packet is of the expected address family (AF_INET / AF_INET6). crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise. misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing with nmap; he also helped us big time debugging the problem. thanks! ok ryan
Diffstat (limited to 'sys/net/pf.c')
-rw-r--r--sys/net/pf.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 723bf349e4f..b40c1ae11ae 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.543 2007/06/09 18:30:47 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.544 2007/06/15 08:18:59 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2832,6 +2832,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
return (PF_DROP);
}
+ sport = dport = hdrlen = 0;
+
switch (pd->proto) {
case IPPROTO_TCP:
sport = th->th_sport;
@@ -2845,6 +2847,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
break;
#ifdef INET
case IPPROTO_ICMP:
+ if (pd->af != AF_INET)
+ break;
sport = dport = pd->hdr.icmp->icmp_id;
hdrlen = sizeof(*pd->hdr.icmp);
icmptype = pd->hdr.icmp->icmp_type;
@@ -2860,6 +2864,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
#endif /* INET */
#ifdef INET6
case IPPROTO_ICMPV6:
+ if (pd->af != AF_INET6)
+ break;
sport = dport = pd->hdr.icmp6->icmp6_id;
hdrlen = sizeof(*pd->hdr.icmp6);
icmptype = pd->hdr.icmp6->icmp6_type;
@@ -2872,9 +2878,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
state_icmp++;
break;
#endif /* INET6 */
- default:
- sport = dport = hdrlen = 0;
- break;
}
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);