diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2026-04-28 08:54:24 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2026-04-28 12:00:35 +0000 |
| commit | bea1c2fcd7839fd90a8ce96d6dc6a033779bc3c2 (patch) | |
| tree | 98ec5fd3f4367d8850f68465aaf145b0a929119e | |
| parent | 7c450d1127c7f08361f848c0ac57189910da8d3b (diff) | |
pf: improve ASCONF chunk validation
When processing an ASCONF chunk we failed to verify that the chunk
length was at least 8 bytes. As a result we might end up passing a
negative length to pf_multihome_scan(). Fortunately this merely meant
the function did nothing, but we should discard such invalid packets, so
explicitly check for this.
MFC after: 1 week
Reported by: Mark Johnston
Sponsored by: Orange Business Services
| -rw-r--r-- | sys/netpfil/pf/pf.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index dea40816e30f..53f74271e268 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8462,6 +8462,9 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op) NULL, pd->af)) return (PF_DROP); + if (ntohs(ah.ph.param_length) < sizeof(ah)) + return (PF_DROP); + ret = pf_multihome_scan(start + off + sizeof(ah), ntohs(ah.ph.param_length) - sizeof(ah), pd, SCTP_ADD_IP_ADDRESS); @@ -8476,6 +8479,10 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op) if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah), NULL, pd->af)) return (PF_DROP); + + if (ntohs(ah.ph.param_length) < sizeof(ah)) + return (PF_DROP); + ret = pf_multihome_scan(start + off + sizeof(ah), ntohs(ah.ph.param_length) - sizeof(ah), pd, SCTP_DEL_IP_ADDRESS); |