diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-02-28 20:20:48 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-02-28 20:20:48 +0000 |
| commit | 303ee37d16acf9d12fc5477975e7fd1144458f2f (patch) | |
| tree | e6e95ae0892326a2215a02cb2a7458251f3020f5 /sys/net | |
| parent | 619e5734a447fbf8608f37d5f72b3baf375c1857 (diff) | |
IPv6 fragments with malformed extension headers could be erroneously
passed by pf or cause a panic in pf.
fix from sashan@; OK bluhm@ claudio@
bug found by Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf_norm.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 8d70182e331..570d0523cfc 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.217 2018/10/23 09:53:06 reyk Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.218 2019/02/28 20:20:47 bluhm Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -879,10 +879,10 @@ pf_reassemble6(struct mbuf **m0, struct ip6_frag *fraghdr, } /* We have all the data */ - extoff = frent->fe_extoff; - maxlen = frag->fr_maxlen; frent = TAILQ_FIRST(&frag->fr_queue); KASSERT(frent != NULL); + extoff = frent->fe_extoff; + maxlen = frag->fr_maxlen; total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off + TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len; hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag); |