From 5f7837b6d7d435f1a86caabb25845b96934d4181 Mon Sep 17 00:00:00 2001
From: sashan <sashan@openbsd.org>
Date: Tue, 3 May 2022 13:32:47 +0000
Subject: [PATCH] Make pf(4) more paranoid about IGMP/MLP messages. MLD/IGMP
 messages with ttl other than 1 will be discarded. Also MLD messages with
 other than link-local source address will be discarded. IGMP messages with
 destination address other than multicast class will be discarded.

feedback and OK bluhm@, cluadio@
---
 sys/net/pf.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/sys/net/pf.c b/sys/net/pf.c
index f15e1ead8c0..e774a8bd141 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1127 2022/04/29 08:58:49 bluhm Exp $ */
+/*	$OpenBSD: pf.c,v 1.1128 2022/05/03 13:32:47 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6456,8 +6456,15 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h, u_short *reason)
 	pd->off += hlen;
 	pd->proto = h->ip_p;
 	/* IGMP packets have router alert options, allow them */
-	if (pd->proto == IPPROTO_IGMP)
+	if (pd->proto == IPPROTO_IGMP) {
+		/* According to RFC 1112 ttl must be set to 1. */
+		if ((h->ip_ttl != 1) || !IN_MULTICAST(h->ip_dst.s_addr)) {
+			DPFPRINTF(LOG_NOTICE, "Invalid IGMP");
+			REASON_SET(reason, PFRES_IPOPTIONS);
+			return (PF_DROP);
+		}
 		CLR(pd->badopts, PF_OPT_ROUTER_ALERT);
+	}
 	/* stop walking over non initial fragments */
 	if ((h->ip_off & htons(IP_OFFMASK)) != 0)
 		return (PF_PASS);
@@ -6698,6 +6705,19 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr *h, u_short *reason)
 			case MLD_LISTENER_REPORT:
 			case MLD_LISTENER_DONE:
 			case MLDV2_LISTENER_REPORT:
+				/*
+				 * According to RFC 2710 all MLD messages are
+				 * sent with hop-limit (ttl) set to 1, and link
+				 * local source address.  If either one is
+				 * missing then MLD message is invalid and
+				 * should be discarded.
+				 */
+				if ((h->ip6_hlim != 1) ||
+				    !IN6_IS_ADDR_LINKLOCAL(&h->ip6_src)) {
+					DPFPRINTF(LOG_NOTICE, "Invalid MLD");
+					REASON_SET(reason, PFRES_IPOPTIONS);
+					return (PF_DROP);
+				}
 				CLR(pd->badopts, PF_OPT_ROUTER_ALERT);
 				break;
 			}
-- 
2.20.1