Bridged packets are supplied to the firewall with their IP header

in network byte order, but icmp_error() expects the IP header to
be in host order and the code here did not perform the necessary
swapping for the bridged case. This bug causes an "icmp_error: bad
length" panic when certain length IP packets (e.g. ip_len == 0x100)
are rejected by the firewall with an ICMP response.

MFC after:	3 days

sys/netinet/ip_fw.c

@@ -1236,7 +1236,6 @@ again:
 		/* Check if rule only valid for bridged packets */
 		if ((f->fw_flg & IP_FW_BRIDGED) != 0 && !(BRIDGED))
 		    continue;
-#undef BRIDGED
 
 		if (oif) {
 		    /* Check direction outbound */
@@ -1628,6 +1627,11 @@ got_match:
 	    && (proto != IPPROTO_ICMP || is_icmp_query(ip))
 	    && !((*m)->m_flags & (M_BCAST|M_MCAST))
 	    && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
+		/* Must convert to host order for icmp_error() etc. */
+		if (BRIDGED) {
+			ip->ip_len = ntohs(ip->ip_len);
+			ip->ip_off = ntohs(ip->ip_off);
+		}
 		switch (f->fw_reject_code) {
 		case IP_FW_REJECT_RST:
 		    {
@@ -1670,6 +1674,7 @@ dropit:
 	 * Finally, drop the packet.
 	 */
 	return(IP_FW_PORT_DENY_FLAG);
+#undef BRIDGED
 }
 
 /*

sys/netinet/ip_fw2.c

@@ -1136,9 +1136,15 @@ static void
 send_reject(struct ip_fw_args *args, int code, int offset, int ip_len)
 {
 
-	if (code != ICMP_REJECT_RST) /* Send an ICMP unreach */
+	if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
+		/* We need the IP header in host order for icmp_error(). */
+		if (args->eh != NULL) {
+			struct ip *ip = mtod(args->m, struct ip *);
+			ip->ip_len = ntohs(ip->ip_len);
+			ip->ip_off = ntohs(ip->ip_off);
+		}
 		icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
-	else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
+	} else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
 		struct tcphdr *const tcp =
 		    L3HDR(struct tcphdr, mtod(args->m, struct ip *));
 		if ( (tcp->th_flags & TH_RST) == 0)