diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2023-01-12 13:09:48 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2023-01-12 13:09:48 +0000 |
commit | 61956b7d350ca70795cd9ec283c3768e7a494cb0 (patch) | |
tree | 39ed507f319761d034962217907fdc048442396d /sys | |
parent | c1e35365c2f13c5a4c79212f9f8752d6ccf64a95 (diff) |
Binding the accept socket in TCP input relies on the fact that the
listen port is not bound to port 0. With a matching pf divert-to
rule this assumption is no longer true and could crash the kernel
with kassert. In both pf and stack drop TCP packets with destination
port 0 before they can do harm.
OK sashan@ claudio@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf.c | 5 | ||||
-rw-r--r-- | sys/netinet/tcp_input.c | 7 |
2 files changed, 9 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 4e638f61dc1..b121cc092f9 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1169 2023/01/06 17:44:34 sashan Exp $ */ +/* $OpenBSD: pf.c,v 1.1170 2023/01/12 13:09:47 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -7254,7 +7254,8 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir, NULL, reason, pd->af)) return (PF_DROP); pd->hdrlen = sizeof(*th); - if (pd->off + (th->th_off << 2) > pd->tot_len || + if (th->th_dport == 0 || + pd->off + (th->th_off << 2) > pd->tot_len || (th->th_off << 2) < sizeof(struct tcphdr)) { REASON_SET(reason, PFRES_SHORT); return (PF_DROP); diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index c88ed1e772e..550a40c09e2 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.384 2022/12/09 00:24:44 bluhm Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.385 2023/01/12 13:09:47 bluhm Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -522,6 +522,11 @@ tcp_input(struct mbuf **mp, int *offp, int proto, int af) th->th_win = ntohs(th->th_win); th->th_urp = ntohs(th->th_urp); + if (th->th_dport == 0) { + tcpstat_inc(tcps_noport); + goto dropwithreset_ratelim; + } + /* * Locate pcb for segment. */ |