freebsd-dev

History

Kristof Provost 6f4909de5f pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic We mistakenly used the extoff value from the last packet to patch the next_header field. If a malicious host sends a chain of fragmented packets where the first packet and the final packet have different lengths or number of extension headers we'd patch the next_header at the wrong offset. This can potentially lead to panics or rule bypasses. Security: CVE-2019-5597 Obtained from: OpenBSD Reported by: Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv	2019-03-01 07:37:45 +00:00
..
ipfw	Remove `set' field from state structure and use set from parent rule.	2019-02-11 18:10:55 +00:00
pf	pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic	2019-03-01 07:37:45 +00:00

Kristof Provost 6f4909de5f pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic

We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.

Security:       CVE-2019-5597
Obtained from:  OpenBSD
Reported by:    Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv

2019-03-01 07:37:45 +00:00

ipfw

Remove `set' field from state structure and use set from parent rule.

2019-02-11 18:10:55 +00:00

pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic

2019-03-01 07:37:45 +00:00