Skip to content
Permalink
Browse files Browse the repository at this point in the history
Binding the accept socket in TCP input relies on the fact that the
listen port is not bound to port 0.  With a matching pf divert-to
rule this assumption is no longer true and could crash the kernel
with kassert.  In both pf and stack drop TCP packets with destination
port 0 before they can do harm.
OK sashan@ claudio@
  • Loading branch information
bluhm committed Jan 12, 2023
1 parent 73be947 commit 0a54372
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
5 changes: 3 additions & 2 deletions sys/net/pf.c
@@ -1,4 +1,4 @@
/* $OpenBSD: pf.c,v 1.1169 2023/01/06 17:44:34 sashan Exp $ */
/* $OpenBSD: pf.c,v 1.1170 2023/01/12 13:09:47 bluhm Exp $ */

/*
* Copyright (c) 2001 Daniel Hartmeier
Expand Down Expand Up @@ -7254,7 +7254,8 @@ pf_setup_pdesc(struct pf_pdesc *pd, sa_family_t af, int dir,
NULL, reason, pd->af))
return (PF_DROP);
pd->hdrlen = sizeof(*th);
if (pd->off + (th->th_off << 2) > pd->tot_len ||
if (th->th_dport == 0 ||
pd->off + (th->th_off << 2) > pd->tot_len ||
(th->th_off << 2) < sizeof(struct tcphdr)) {
REASON_SET(reason, PFRES_SHORT);
return (PF_DROP);
Expand Down
7 changes: 6 additions & 1 deletion sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
/* $OpenBSD: tcp_input.c,v 1.384 2022/12/09 00:24:44 bluhm Exp $ */
/* $OpenBSD: tcp_input.c,v 1.385 2023/01/12 13:09:47 bluhm Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */

/*
Expand Down Expand Up @@ -522,6 +522,11 @@ tcp_input(struct mbuf **mp, int *offp, int proto, int af)
th->th_win = ntohs(th->th_win);
th->th_urp = ntohs(th->th_urp);

if (th->th_dport == 0) {
tcpstat_inc(tcps_noport);
goto dropwithreset_ratelim;
}

/*
* Locate pcb for segment.
*/
Expand Down

0 comments on commit 0a54372

Please sign in to comment.