aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2021-04-28 10:56:06 +0000
committerKristof Provost <kp@FreeBSD.org>2021-04-30 06:19:46 +0000
commit055c55abefbe19fe46a56894595af9c9dad7678c (patch)
treea345ee339d56232b037b7acb72e36562e0563e96
parenteecdf5220b1a559e4b58c3c21daf502e3fbfd1cd (diff)
downloadsrc-055c55abefbe19fe46a56894595af9c9dad7678c.tar.gz
src-055c55abefbe19fe46a56894595af9c9dad7678c.zip
pf: Fix IP checksum on reassembly
If we reassemble a packet we modify the IP header (to set the length and remove the fragment offset information), but we failed to update the checksum. On certain setups (mostly where we did not re-fragment again afterwards) this could lead to us sending out packets with incorrect checksums. PR: 255432 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30026
-rw-r--r--sys/netpfil/pf/pf_norm.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index d7310c7bccb4..6de1efa8ff84 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -794,7 +794,11 @@ pf_reassemble(struct mbuf **m0, struct ip *ip, int dir, u_short *reason)
}
ip = mtod(m, struct ip *);
+ ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_len,
+ htons(hdrlen + total), 0);
ip->ip_len = htons(hdrlen + total);
+ ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_off,
+ ip->ip_off & ~(IP_MF|IP_OFFMASK), 0);
ip->ip_off &= ~(IP_MF|IP_OFFMASK);
if (hdrlen + total > IP_MAXPACKET) {