diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-02-01 16:10:32 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-02-01 16:10:32 +0000 |
| commit | 563df0892b2a6f7031c1e2337b60c211ba1cfdaf (patch) | |
| tree | 438e2641930c557524afc845e0d8b1f17ff45f20 /sys/net/pf_norm.c | |
| parent | 2d1d3c850fc91032419fc9d1d0de2579cd82eafe (diff) | |
The check for invalid IPv6 fragment size in pf_normalize_ip6() was
wrong. As an effect small valid fragmented packets got dropped and
some invalid fragmented packets were passed. plen is the payload
lenght of the ipv6 packet without the ipv6 header. off is relative
to the whole packet including the ipv6 header. Add sizeof(struct
ip6_hdr) in the calculation.
ok henning@ markus@
Diffstat (limited to 'sys/net/pf_norm.c')
| -rw-r--r-- | sys/net/pf_norm.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 29557213c3c..de3dabd9d3c 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.127 2011/01/20 15:03:03 bluhm Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.128 2011/02/01 16:10:31 bluhm Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -676,7 +676,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif, if (!pf_pull_hdr(m, off, &frag, sizeof(frag), NULL, NULL, AF_INET6)) goto shortpkt; fragoff = ntohs(frag.ip6f_offlg & IP6F_OFF_MASK); - if (fragoff + (plen - off - sizeof(frag)) > IPV6_MAXPACKET) + if (fragoff + (sizeof(struct ip6_hdr) + plen - off - sizeof(frag)) > + IPV6_MAXPACKET) goto badfrag; /* do something about it */ |