From 36cc2dba503bef8e6527b1dc534a85f2779babc9 Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Mon, 22 Jun 2009 17:04:03 +0000 Subject: Check that the address family is appropriate before processing ICMPv4 and ICMPv6 messages. ok henning@ --- sys/net/pf.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'sys') diff --git a/sys/net/pf.c b/sys/net/pf.c index 2c6618ba7df..a02706f7d88 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.653 2009/06/22 16:55:14 jsing Exp $ */ +/* $OpenBSD: pf.c,v 1.654 2009/06/22 17:04:02 jsing Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2798,6 +2798,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, break; #ifdef INET case IPPROTO_ICMP: + if (af != AF_INET) + break; + if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET)) pf_change_a(&saddr->v4.s_addr, pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, 0); @@ -2819,6 +2822,9 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, #endif /* INET */ #ifdef INET6 case IPPROTO_ICMPV6: + if (af != AF_INET6) + break; + if (PF_ANEQ(saddr, &nk->addr[pd->sidx], AF_INET6)) pf_change_a6(saddr, &pd->hdr.icmp6->icmp6_cksum, &nk->addr[pd->sidx], 0); -- cgit v1.2.3