diff options
authorEugene Grosbein <eugen@FreeBSD.org>2020-02-12 00:31:00 +0000
committerEugene Grosbein <eugen@FreeBSD.org>2020-02-12 00:31:00 +0000
commit49f384cb477bd32a4d1e85f0bf9fe7499f6b3e72 (patch)
parentf976241773df2260e6170317080761d1c5814fe5 (diff)
ng_nat: avoid panic if attached directly to ng_ether and got short packet
From the beginning, ng_nat safely assumed cleansed traffic because of limited ways it could be attached to NETGRAPH: ng_ipfw or ng_ppp only. Now as it may be attached with ng_ether too, the assumption proven wrong. Add needed check to the ng_nat. Thanks for markj for debugging this. PR: 243096 Submitted by: Lutz Donnerhacke <lutz@donnerhacke.de> Reported by: Robert James Hernandez <rob@sarcasticadmin.com> Reviewed by: markj and others MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D23091
Notes: svn path=/head/; revision=357786
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/netgraph/ng_nat.c b/sys/netgraph/ng_nat.c
index f0784f43ddb8..4b6039d33654 100644
--- a/sys/netgraph/ng_nat.c
+++ b/sys/netgraph/ng_nat.c
@@ -806,11 +806,16 @@ ng_nat_rcvdata(hook_p hook, item_p item )
panic("Corrupted priv->dlt: %u", priv->dlt);
+ if (m->m_pkthdr.len < ipofs + sizeof(struct ip))
+ goto send; /* packet too short to hold IP */
c = (char *)mtodo(m, ipofs);
ip = (struct ip *)mtodo(m, ipofs);
- KASSERT(m->m_pkthdr.len == ipofs + ntohs(ip->ip_len),
- ("ng_nat: ip_len != m_pkthdr.len"));
+ if (ip->ip_v != IPVERSION)
+ goto send; /* other IP version, let it pass */
+ if (m->m_pkthdr.len < ipofs + ntohs(ip->ip_len))
+ goto send; /* packet too short (i.e. fragmented or broken) */
* We drop packet when: