From owner-dev-commits-src-branches@freebsd.org Fri May 7 15:26:03 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0A90B6315D4; Fri, 7 May 2021 15:26:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FcDmm6X8jz4jr1; Fri, 7 May 2021 15:26:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 18D295AD3; Fri, 7 May 2021 15:25:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 147FPvr3026798; Fri, 7 May 2021 15:25:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 147FPvsa026797; Fri, 7 May 2021 15:25:57 GMT (envelope-from git) Date: Fri, 7 May 2021 15:25:57 GMT Message-Id: <202105071525.147FPvsa026797@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: af1b05bb32b5 - stable/12 - pf: Fix IP checksum on reassembly MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: af1b05bb32b5440dd999853bd7c01a5b8c0d73f4 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2021 15:26:03 -0000 The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=af1b05bb32b5440dd999853bd7c01a5b8c0d73f4 commit af1b05bb32b5440dd999853bd7c01a5b8c0d73f4 Author: Kristof Provost AuthorDate: 2021-04-28 10:56:06 +0000 Commit: Kristof Provost CommitDate: 2021-05-07 08:17:50 +0000 pf: Fix IP checksum on reassembly If we reassemble a packet we modify the IP header (to set the length and remove the fragment offset information), but we failed to update the checksum. On certain setups (mostly where we did not re-fragment again afterwards) this could lead to us sending out packets with incorrect checksums. PR: 255432 MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30026 (cherry picked from commit 055c55abefbe19fe46a56894595af9c9dad7678c) --- sys/netpfil/pf/pf_norm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 2a3c1d442fd4..8f970b68373b 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -790,7 +790,11 @@ pf_reassemble(struct mbuf **m0, struct ip *ip, int dir, u_short *reason) } ip = mtod(m, struct ip *); + ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_len, + htons(hdrlen + total), 0); ip->ip_len = htons(hdrlen + total); + ip->ip_sum = pf_cksum_fixup(ip->ip_sum, ip->ip_off, + ip->ip_off & ~(IP_MF|IP_OFFMASK), 0); ip->ip_off &= ~(IP_MF|IP_OFFMASK); if (hdrlen + total > IP_MAXPACKET) {