In pf the kernel paniced if IP options in packet within ICMP payload

author bluhm <bluhm@openbsd.org>

Mon, 23 May 2022 11:17:35 +0000 (11:17 +0000)

committer bluhm <bluhm@openbsd.org>

Mon, 23 May 2022 11:17:35 +0000 (11:17 +0000)
author bluhm <bluhm@openbsd.org>
Mon, 23 May 2022 11:17:35 +0000 (11:17 +0000)
committer bluhm <bluhm@openbsd.org>
Mon, 23 May 2022 11:17:35 +0000 (11:17 +0000)
diff --git a/sys/net/pf.c b/sys/net/pf.c

index 0d1dbbd..93fe570 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1131 2022/05/23 09:54:18 bluhm Exp $ */
+/*     $OpenBSD: pf.c,v 1.1132 2022/05/23 11:17:35 bluhm Exp $ */
  
  /*
   * Copyright (c) 2001 Daniel Hartmeier
@@ -6384,6 +6384,13 @@ pf_walk_option(struct pf_pdesc *pd, struct ip *h, int off, int end,
  {
         uint8_t type, length, opts[15 * 4 - sizeof(struct ip)];
  
+       /* IP header in payload of ICMP packet may be too short */
+       if (pd->m->m_pkthdr.len < end) {
+               DPFPRINTF(LOG_NOTICE, "IP option too short");
+               REASON_SET(reason, PFRES_SHORT);
+               return (PF_DROP);
+       }
+
         KASSERT(end - off <= sizeof(opts));
         m_copydata(pd->m, off, end - off, opts);
         end -= off;
author	bluhm <bluhm@openbsd.org>
	Mon, 23 May 2022 11:17:35 +0000 (11:17 +0000)
committer	bluhm <bluhm@openbsd.org>
	Mon, 23 May 2022 11:17:35 +0000 (11:17 +0000)