diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2023-01-12 13:09:48 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2023-01-12 13:09:48 +0000 |
| commit | 61956b7d350ca70795cd9ec283c3768e7a494cb0 (patch) | |
| tree | 39ed507f319761d034962217907fdc048442396d /sys/net/pf.c | |
| parent | c1e35365c2f13c5a4c79212f9f8752d6ccf64a95 (diff) | |
Binding the accept socket in TCP input relies on the fact that the
listen port is not bound to port 0. With a matching pf divert-to
rule this assumption is no longer true and could crash the kernel
with kassert. In both pf and stack drop TCP packets with destination
port 0 before they can do harm.
OK sashan@ claudio@
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 4e638f61dc1..b121cc092f9 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1169 2023/01/06 17:44:34 sashan Exp $ */ +/* $OpenBSD: pf.c,v 1.1170 2023/01/12 13:09:47 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -7254,7 +7254,8 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir, NULL, reason, pd->af)) return (PF_DROP); pd->hdrlen = sizeof(*th); - if (pd->off + (th->th_off << 2) > pd->tot_len || + if (th->th_dport == 0 || + pd->off + (th->th_off << 2) > pd->tot_len || (th->th_off << 2) < sizeof(struct tcphdr)) { REASON_SET(reason, PFRES_SHORT); return (PF_DROP); |