diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2019-05-14 23:10:21 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2019-05-14 23:10:21 +0000 |
commit | f2dbf50589226ac512ffe150e81d56a591a714d6 (patch) | |
tree | 5af13638272e09a6a0dbe25e8677c2a9d6d9a98c | |
parent | d7a48680970eb6efd8535e6247a60154fad67d60 (diff) | |
download | src-test2-f2dbf50589226ac512ffe150e81d56a591a714d6.tar.gz src-test2-f2dbf50589226ac512ffe150e81d56a591a714d6.zip |
Fix IPv6 fragment reassembly panic in pf
Approved by: so
Security: FreeBSD-SA-19:05.pf
Security: CVE-2019-5597
Notes
Notes:
svn path=/releng/12.0/; revision=347591
-rw-r--r-- | sys/netpfil/pf/pf_norm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index f5ef31de06a2..7234c1def914 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -668,11 +668,11 @@ pf_reassemble6(struct mbuf **m0, struct ip6_hdr *ip6, struct ip6_frag *fraghdr, } /* We have all the data. */ + frent = TAILQ_FIRST(&frag->fr_queue); + KASSERT(frent != NULL, ("frent != NULL")); extoff = frent->fe_extoff; maxlen = frag->fr_maxlen; frag_id = frag->fr_id; - frent = TAILQ_FIRST(&frag->fr_queue); - KASSERT(frent != NULL, ("frent != NULL")); total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off + TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len; hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag); |