diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2022-05-23 11:17:36 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2022-05-23 11:17:36 +0000 |
| commit | 91df5b01c8a13e97aa990be0585905c941ff0406 (patch) | |
| tree | 4363a94ac5bc23d7efd470c42e507b1202b291bc /sys/net/pf.c | |
| parent | 890995dcbb5d60cf96afe86c21ef4f8e2c53a904 (diff) | |
In pf the kernel paniced if IP options in packet within ICMP payload
were truncated. Drop such packets instead.
Reported-by: syzbot+91abd3aa2fdfe900f9ce@syzkaller.appspotmail.com
OK sashan@ claudio@
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 0d1dbbdbd22..93fe5702625 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1131 2022/05/23 09:54:18 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1132 2022/05/23 11:17:35 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6384,6 +6384,13 @@ pf_walk_option(struct pf_pdesc *pd, struct ip *h, int off, int end, { uint8_t type, length, opts[15 * 4 - sizeof(struct ip)]; + /* IP header in payload of ICMP packet may be too short */ + if (pd->m->m_pkthdr.len < end) { + DPFPRINTF(LOG_NOTICE, "IP option too short"); + REASON_SET(reason, PFRES_SHORT); + return (PF_DROP); + } + KASSERT(end - off <= sizeof(opts)); m_copydata(pd->m, off, end - off, opts); end -= off; |