From 0271abd8e4942e853c0fc03b1a76e617f0d9a984 Mon Sep 17 00:00:00 2001 From: bluhm Date: Mon, 23 May 2022 11:17:35 +0000 Subject: [PATCH] In pf the kernel paniced if IP options in packet within ICMP payload were truncated. Drop such packets instead. Reported-by: syzbot+91abd3aa2fdfe900f9ce@syzkaller.appspotmail.com OK sashan@ claudio@ --- sys/net/pf.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/net/pf.c b/sys/net/pf.c index 0d1dbbdbd22..93fe5702625 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1131 2022/05/23 09:54:18 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1132 2022/05/23 11:17:35 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6384,6 +6384,13 @@ pf_walk_option(struct pf_pdesc *pd, struct ip *h, int off, int end, { uint8_t type, length, opts[15 * 4 - sizeof(struct ip)]; + /* IP header in payload of ICMP packet may be too short */ + if (pd->m->m_pkthdr.len < end) { + DPFPRINTF(LOG_NOTICE, "IP option too short"); + REASON_SET(reason, PFRES_SHORT); + return (PF_DROP); + } + KASSERT(end - off <= sizeof(opts)); m_copydata(pd->m, off, end - off, opts); end -= off; -- 2.20.1