---
- branch: MAIN
  date: Fri Dec 15 21:00:26 UTC 2017
  files:
  - new: '1.55'
    old: '1.54'
    path: src/sys/net/npf/npf.h
    pathrev: src/sys/net/npf/npf.h@1.55
    type: modified
  id: 20171215T210026Z.5be3f3d21b5e8245288dcccb23fc4ae5288dd632
  log: "Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to\nbypass
    a certain number of filtering rules.\n\nBasically there is an integer overflow
    in npf_cache_ip: npc_hlen is a\n8bit unsigned int, and can wrap to zero if the
    IPv6 packet being processed\nhas large extensions.\n\nAs a result of an overflow,
    (mbuf + npc_hlen) won't point at the real\nprotocol header, but instead at some
    garbage within the packet. That\ngarbage, is what NPF applies its rules on.\n\nIf
    these filtering rules allow the packet to enter, that packet is given\nto the
    main IPv6 entry point. This entry point, however, is not subject to\nan integer
    overflow, so it will actually parse the correct protocol header.\n\nThe result
    is: NPF read a wrong header, allowed the packet to enter, the\nkernel read the
    correct header, and delivered the packet depending on this\ncorrect header. So
    the offending packet was supposed to be kicked, but\nstill went through the firewall.\n\nSimple
    example, a packet with:\n\tpacket +   0 = IP6 Header\n\tpacket +  40 = IP6 Routing
    header (ip6r_len = 31)\n\tpacket +  48 = Crafted UDP header (uh_dport = 7777)\n\tpacket
    + 296 = IP6 Dest header (ip6e_len = 0)\n\tpacket + 304 = Real UDP header (uh_dport
    = 6666)\nWill bypass a rule of the kind \"block port 6666\". Here NPF reads the\ncrafted
    UDP header, sees 7777, lets the packet in; later the kernel reads\nthe real UDP
    header, and delivers it on port 6666.\n\nFix this by using uint32_t. While here,
    it seems to me there is also a\nmemory overflow: still in npf_cache_ip, npc_hlen
    may be incremented with\na value that goes beyond the mbuf.\n"
  module: src
  subject: 'CVS commit: src/sys/net/npf'
  unixtime: '1513371626'
  user: maxv