On Ethernet packets have a minimal length, so very short packets

get padding appended to them.  This padding is not stripped off in
ip6_input() (due to support for IPv6 Jumbograms, RFC2675).  That
means PF needs to be careful when reassembling fragmented packets
to not include the padding in the reassembled packet.
from FreeBSD; via Kristof Provost; OK henning@

1 files changed, 6 insertions, 2 deletions

diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 6e661e6c53d..6793171d23e 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_norm.c,v 1.175 2015/03/14 03:38:51 jsg Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.176 2015/04/17 16:42:50 bluhm Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -467,8 +467,10 @@ pf_join_fragment(struct pf_fragment *frag)
 	frent = TAILQ_FIRST(&frag->fr_queue);
 	TAILQ_REMOVE(&frag->fr_queue, frent, fr_next);
 
-	/* Magic from ip_input */
 	m = frent->fe_m;
+	/* Strip off any trailing bytes */
+	m_adj(m, (frent->fe_hdrlen + frent->fe_len) - m->m_pkthdr.len);
+	/* Magic from ip_input */
 	m2 = m->m_next;
 	m->m_next = NULL;
 	m_cat(m, m2);
@@ -480,6 +482,8 @@ pf_join_fragment(struct pf_fragment *frag)
 		m2 = frent->fe_m;
 		/* Strip off ip header */
 		m_adj(m2, frent->fe_hdrlen);
+		/* Strip off any trailing bytes */
+		m_adj(m2, frent->fe_len - m2->m_pkthdr.len);
 		pool_put(&pf_frent_pl, frent);
 		pf_nfrents--;
 		m_cat(m, m2);