On Thu, May 22, 2014 at 04:20:32PM +0200, Matthias Pitzl wrote:
> If fragmented IPv6 packets are redirected by pf, the code in
pf_refragment6() of
> pf_norm.c lacks a call to in6_proto_cksum_out() to calculate the checksum
for
> the packet before it is broken into fragments again.
> The attached diff fixes this problem in OpenBSD 5.5.
I have my tests in /usr/src/regress/sys/net/pf_fragment up and
running again. They confirm that the bug exists in -current.
*** Error 1 in . (Makefile:225 'run-regress-frag6')
FAILED
*** Error 1 in . (Makefile:234 'run-regress-frag6-ext')
FAILED
This diff fixes those cases. Henning, can you give me an OK?
There is still another failing test left.
*** Error 130 in . (Makefile:149 'run-regress-fragping6')
FAILED
I will look into it.
bluhm
>
> -- Matthias
> --- sys/net/pf_norm.c 2014-05-13 09:23:59.000000000 +0200
> +++ sys/net/pf_norm.c 2014-05-22 15:10:02.448312574 +0200
> @@ -696,20 +696,23 @@ pf_refragment6(struct mbuf **m0, struct
> u_int8_t proto;
> int error, action;
>
> hdrlen = ftag->ft_hdrlen;
> extoff = ftag->ft_extoff;
> maxlen = ftag->ft_maxlen;
> m_tag_delete(m, mtag);
> mtag = NULL;
> ftag = NULL;
>
> + /* Checksum must be calculated for the whole packet */
> + in6_proto_cksum_out(m, NULL);
> +
> if (extoff) {
> int off;
>
> /* Use protocol from next field of last extension header */
> if ((m = m_getptr(m, extoff + offsetof(struct ip6_ext,
> ip6e_nxt), &off)) == NULL)
> panic("pf_refragment6: short mbuf chain");
> proto = *(mtod(m, caddr_t) + off);
> *(mtod(m, caddr_t) + off) = IPPROTO_FRAGMENT;
> m = *m0;
[demime 1.01d removed an attachment of type application/pgp-signature]
