in pf_test_rule, before handling IPPROTO_ICMP / IPPROTO_ICMPV6, check that

the packet is of the expected address family (AF_INET / AF_INET6).
crafted IPv4 packets with IPPROTO_ICMPV6 can make us crash otherwise.
misbehaviour provoked by Adrian Close <adrian@close.wattle.id.au> playing
with nmap; he also helped us big time debugging the problem. thanks!
ok ryan

1 files changed, 7 insertions, 4 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 723bf349e4f..b40c1ae11ae 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.543 2007/06/09 18:30:47 henning Exp $ */
+/*	$OpenBSD: pf.c,v 1.544 2007/06/15 08:18:59 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -2832,6 +2832,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 		return (PF_DROP);
 	}
 
+	sport = dport = hdrlen = 0;
+
 	switch (pd->proto) {
 	case IPPROTO_TCP:
 		sport = th->th_sport;
@@ -2845,6 +2847,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 		break;
 #ifdef INET
 	case IPPROTO_ICMP:
+		if (pd->af != AF_INET)
+			break;
 		sport = dport = pd->hdr.icmp->icmp_id;
 		hdrlen = sizeof(*pd->hdr.icmp);
 		icmptype = pd->hdr.icmp->icmp_type;
@@ -2860,6 +2864,8 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 #endif /* INET */
 #ifdef INET6
 	case IPPROTO_ICMPV6:
+		if (pd->af != AF_INET6)
+			break;
 		sport = dport = pd->hdr.icmp6->icmp6_id;
 		hdrlen = sizeof(*pd->hdr.icmp6);
 		icmptype = pd->hdr.icmp6->icmp6_type;
@@ -2872,9 +2878,6 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 			state_icmp++;
 		break;
 #endif /* INET6 */
-	default:
-		sport = dport = hdrlen = 0;
-		break;
 	}
 
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);