diff options
author | Gleb Smirnoff <glebius@FreeBSD.org> | 2023-12-19 19:24:17 +0000 |
---|---|---|
committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2024-01-02 19:06:31 +0000 |
commit | 943814893bda5d74d8a2cace0a613dd5733c2845 (patch) | |
tree | 659b166c57447f620d708eb4102570941246b6a0 | |
parent | 98bac6fb064ca7536ddb67b845c653b926b699a5 (diff) | |
download | src-943814893bda5d74d8a2cace0a613dd5733c2845.tar.gz src-943814893bda5d74d8a2cace0a613dd5733c2845.zip |
tcp: always set tcp_tun_port to a correct value
The tcp_tun_port field that is used to pass port value between UDP
and TCP in case of tunneling is a generic field that used to pass
data between network layers. It can be contaminated on entry, e.g.
by a VLAN tag set by a NIC driver. Explicily set it, so that it
is zeroed out in a normal not-tunneled TCP. If it contains garbage,
tcp_twcheck() later can enter wrong block of code and treat the packet
as incorrectly tunneled one. On main and stable/14 that will end up
with sending incorrect responses, but on stable/13 with ipfw(8) and
pcb-matching rules it may end up in a panic.
This is a minimal conservative patch to be merged to stable branches.
Later we may redesign this.
PR: 275169
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D43065
(cherry picked from commit 513f2e2e7180202167ca2963d815d2a4c3ac0af9)
-rw-r--r-- | sys/netinet/tcp_input.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 9f7e42b582c6..512da877846a 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -640,6 +640,7 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port) to.to_flags = 0; TCPSTAT_INC(tcps_rcvtotal); + m->m_pkthdr.tcp_tun_port = port; #ifdef INET6 if (isipv6) { ip6 = mtod(m, struct ip6_hdr *); |