Date: Fri, 7 May 2021 15:25:56 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 70e8fe5eee7c - stable/13 - pf: Fix IP checksum on reassembly Message-ID: <202105071525.147FPuRC026734@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=70e8fe5eee7c35a2c7ce988d402d84a7a9901818 commit 70e8fe5eee7c35a2c7ce988d402d84a7a9901818 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-04-28 10:56:06 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-05-07 08:16:02 +0000 pf: Fix IP checksum on reassembly If we reassemble a packet we modify the IP header (to set the length and remove the fragment offset information), but we failed to update the checksum. On certain setups (mostly where we did not re-fragment again afterwards) this could lead to us sending out packets with incorrect checksums. PR: 255432 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30026 (cherry picked from commit 055c55abefbe19fe46a56894595af9c9dad7678c) --- sys/netpfil/pf/pf_norm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index d7310c7bccb4..6de1efa8ff84 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -794,7 +794,11 @@ pf_reassemble(struct mbuf **m0, struct ip *ip, int dir, u_short *reason) } ip = mtod(m, struct ip *); + ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_len, + htons(hdrlen + total), 0); ip->ip_len = htons(hdrlen + total); + ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_off, + ip->ip_off & ~(IP_MF|IP_OFFMASK), 0); ip->ip_off &= ~(IP_MF|IP_OFFMASK); if (hdrlen + total > IP_MAXPACKET) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105071525.147FPuRC026734>