From 01044eaadc8051a1887dd62a62bdbfc2d260d151 Mon Sep 17 00:00:00 2001
From: Daniel Hartmeier <dhartmei@FreeBSD.org>
Date: Sun, 2 May 2004 20:47:24 +0000
Subject: [PATCH] Commit three imported bugfixes from OpenBSD 3.4-stable:

  - change pf_get_pool() argument rule_number type from u_int32_t
    to u_int8_t, fixes corruption of address pools with large
    rulesets (mcbride@)
  - prevent endless loops with route-to (dhartmei@)
  - limit option length to 2 octets max (frantzen@)

Obtained from:	OpenBSD
Approved by:	mlaier(mentor), bms(mentor)
---
 sys/contrib/pf/net/pf.c       | 19 ++++++++-----------
 sys/contrib/pf/net/pf_ioctl.c |  6 +++---
 sys/contrib/pf/net/pf_norm.c  | 10 +++++-----
 3 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/sys/contrib/pf/net/pf.c b/sys/contrib/pf/net/pf.c
index d492096391e0..141b43131d48 100644
--- a/sys/contrib/pf/net/pf.c
+++ b/sys/contrib/pf/net/pf.c
@@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$OpenBSD: pf.c,v 1.389.2.3 2004/04/10 09:38:19 brad Exp $ */
+/*	$OpenBSD: pf.c,v 1.389.2.4 2004/04/30 23:27:57 brad Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -5049,17 +5049,14 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 	if (ifp == NULL)
 		goto bad;
 
-	mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL);
-	if (mtag == NULL) {
-		struct m_tag *mtag;
+	if (m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL) != NULL)
+		goto bad;
+	mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT);
+	if (mtag == NULL)
+		goto bad;
+	m_tag_prepend(m0, mtag);
 
-		mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT);
-		if (mtag == NULL)
-			goto bad;
-		m_tag_prepend(m0, mtag);
-	}
-
-	if (oifp != ifp && mtag == NULL) {
+	if (oifp != ifp) {
 #ifdef __FreeBSD__
 		PF_UNLOCK();
 		if (pf_test(PF_OUT, ifp, &m0) != PF_PASS) {
diff --git a/sys/contrib/pf/net/pf_ioctl.c b/sys/contrib/pf/net/pf_ioctl.c
index 893262c8c85c..298baf2cf2ee 100644
--- a/sys/contrib/pf/net/pf_ioctl.c
+++ b/sys/contrib/pf/net/pf_ioctl.c
@@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$OpenBSD: pf_ioctl.c,v 1.81.2.1 2004/03/28 01:34:15 brad Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.81.2.2 2004/04/30 23:28:58 brad Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -106,7 +106,7 @@ int			 pfopen(dev_t, int, int, struct proc *);
 int			 pfclose(dev_t, int, int, struct proc *);
 #endif
 struct pf_pool		*pf_get_pool(char *, char *, u_int32_t,
-			    u_int8_t, u_int8_t, u_int8_t, u_int8_t, u_int8_t);
+			    u_int8_t, u_int32_t, u_int8_t, u_int8_t, u_int8_t);
 int			 pf_get_ruleset_number(u_int8_t);
 void			 pf_init_ruleset(struct pf_ruleset *);
 void			 pf_mv_pool(struct pf_palist *, struct pf_palist *);
@@ -449,7 +449,7 @@ pfclose(dev_t dev, int flags, int fmt, struct proc *p)
 
 struct pf_pool *
 pf_get_pool(char *anchorname, char *rulesetname, u_int32_t ticket,
-    u_int8_t rule_action, u_int8_t rule_number, u_int8_t r_last,
+    u_int8_t rule_action, u_int32_t rule_number, u_int8_t r_last,
     u_int8_t active, u_int8_t check_ticket)
 {
 	struct pf_ruleset	*ruleset;
diff --git a/sys/contrib/pf/net/pf_norm.c b/sys/contrib/pf/net/pf_norm.c
index 9bba4e839493..10f066e787ca 100644
--- a/sys/contrib/pf/net/pf_norm.c
+++ b/sys/contrib/pf/net/pf_norm.c
@@ -1,5 +1,5 @@
 /*	$FreeBSD$	*/
-/*	$OpenBSD: pf_norm.c,v 1.75 2003/08/29 01:49:08 dhartmei Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.75.2.1 2004/04/30 23:28:36 brad Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -1535,8 +1535,8 @@ pf_normalize_tcp_init(struct mbuf *m, int off, struct pf_pdesc *pd,
 				}
 				/* FALLTHROUGH */
 			default:
-				hlen -= opt[1];
-				opt += opt[1];
+				hlen -= MAX(opt[1], 2);
+				opt += MAX(opt[1], 2);
 				break;
 			}
 		}
@@ -1649,8 +1649,8 @@ pf_normalize_tcp_stateful(struct mbuf *m, int off, struct pf_pdesc *pd,
 				}
 				/* FALLTHROUGH */
 			default:
-				hlen -= opt[1];
-				opt += opt[1];
+				hlen -= MAX(opt[1], 2);
+				opt += MAX(opt[1], 2);
 				break;
 			}
 		}