Binding the accept socket in TCP input relies on the fact that the

listen port is not bound to port 0.  With a matching pf divert-to
rule this assumption is no longer true and could crash the kernel
with kassert.  In both pf and stack drop TCP packets with destination
port 0 before they can do harm.
OK sashan@ claudio@

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 4e638f6..b121cc0 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1169 2023/01/06 17:44:34 sashan Exp $ */
+/*     $OpenBSD: pf.c,v 1.1170 2023/01/12 13:09:47 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -7254,7 +7254,8 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir,
                    NULL, reason, pd->af))
                        return (PF_DROP);
                pd->hdrlen = sizeof(*th);
-               if (pd->off + (th->th_off << 2) > pd->tot_len ||
+               if (th->th_dport == 0 ||
+                   pd->off + (th->th_off << 2) > pd->tot_len ||
                    (th->th_off << 2) < sizeof(struct tcphdr)) {
                        REASON_SET(reason, PFRES_SHORT);
                        return (PF_DROP);

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index c88ed1e..550a40c 100644 (file)
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tcp_input.c,v 1.384 2022/12/09 00:24:44 bluhm Exp $   */
+/*     $OpenBSD: tcp_input.c,v 1.385 2023/01/12 13:09:47 bluhm Exp $   */
 /*     $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $  */
 
 /*
@@ -522,6 +522,11 @@ tcp_input(struct mbuf **mp, int *offp, int proto, int af)
        th->th_win = ntohs(th->th_win);
        th->th_urp = ntohs(th->th_urp);
 
+       if (th->th_dport == 0) {
+               tcpstat_inc(tcps_noport);
+               goto dropwithreset_ratelim;
+       }
+
        /*
         * Locate pcb for segment.
         */