From 00eab743abca6918aca3ad165c1707ab70f7037f Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Thu, 20 Apr 2017 09:05:53 +0000 Subject: [PATCH] pf: Fix possible incorrect IPv6 fragmentation When forwarding pf tracks the size of the largest fragment in a fragmented packet, and refragments based on this size. It failed to ensure that this size was a multiple of 8 (as is required for all but the last fragment), so it could end up generating incorrect fragments. For example, if we received an 8 byte and 12 byte fragment pf would emit a first fragment with 12 bytes of payload and the final fragment would claim to be at offset 8 (not 12). We now assert that the fragment size is a multiple of 8 in ip6_fragment(), so other users won't make the same mistake. Reported by: Antonios Atlasis MFC after: 3 days --- sys/netinet6/ip6_output.c | 2 ++ sys/netpfil/pf/pf_norm.c | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index c851038c12d6..998097b0a025 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -226,6 +226,8 @@ ip6_fragment(struct ifnet *ifp, struct mbuf *m0, int hlen, u_char nextproto, int error; int tlen = m0->m_pkthdr.len; + KASSERT(( mtu % 8 == 0), ("Fragment length must be a multiple of 8")); + m = m0; ip6 = mtod(m, struct ip6_hdr *); mnext = &m->m_nextpkt; diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index b6301b6da852..81ef54d47a0a 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -762,6 +762,10 @@ pf_refragment6(struct ifnet *ifp, struct mbuf **m0, struct m_tag *mtag) hdr->ip6_nxt = IPPROTO_FRAGMENT; } + /* The MTU must be a multiple of 8 bytes, or we risk doing the + * fragmentation wrong. */ + maxlen = maxlen & ~7; + /* * Maxlen may be less than 8 if there was only a single * fragment. As it was fragmented before, add a fragment