From e3048d164877abde6609a6132d3ea32fb6bac555 Mon Sep 17 00:00:00 2001 From: bluhm Date: Fri, 17 Apr 2015 16:42:50 +0000 Subject: [PATCH] On Ethernet packets have a minimal length, so very short packets get padding appended to them. This padding is not stripped off in ip6_input() (due to support for IPv6 Jumbograms, RFC2675). That means PF needs to be careful when reassembling fragmented packets to not include the padding in the reassembled packet. from FreeBSD; via Kristof Provost; OK henning@ --- sys/net/pf_norm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 6e661e6c53d..6793171d23e 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.175 2015/03/14 03:38:51 jsg Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.176 2015/04/17 16:42:50 bluhm Exp $ */ /* * Copyright 2001 Niels Provos @@ -467,8 +467,10 @@ pf_join_fragment(struct pf_fragment *frag) frent = TAILQ_FIRST(&frag->fr_queue); TAILQ_REMOVE(&frag->fr_queue, frent, fr_next); - /* Magic from ip_input */ m = frent->fe_m; + /* Strip off any trailing bytes */ + m_adj(m, (frent->fe_hdrlen + frent->fe_len) - m->m_pkthdr.len); + /* Magic from ip_input */ m2 = m->m_next; m->m_next = NULL; m_cat(m, m2); @@ -480,6 +482,8 @@ pf_join_fragment(struct pf_fragment *frag) m2 = frent->fe_m; /* Strip off ip header */ m_adj(m2, frent->fe_hdrlen); + /* Strip off any trailing bytes */ + m_adj(m2, frent->fe_len - m2->m_pkthdr.len); pool_put(&pf_frent_pl, frent); pf_nfrents--; m_cat(m, m2); -- 2.20.1