On Tue, May 03, 2022 at 10:10:23AM +0200, Alexandr Nedvedicky wrote:
> updated diff is below.
> thanks for taking a look at it.
OK bluhm@
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sys/net/pf.c b/sys/net/pf.c
> index f15e1ead8c0..bf9593952ec 100644
> --- a/sys/net/pf.c
> +++ b/sys/net/pf.c
> @@ -6456,8 +6456,15 @@ pf_walk_header(struct pf_pdesc *pd, struct ip *h,
> u_short *reason)
> pd->off += hlen;
> pd->proto = h->ip_p;
> /* IGMP packets have router alert options, allow them */
> - if (pd->proto == IPPROTO_IGMP)
> + if (pd->proto == IPPROTO_IGMP) {
> + /* According to RFC 1112 ttl must be set to 1. */
> + if (h->ip_ttl != 1) {
> + DPFPRINTF(LOG_NOTICE, "TTL in IGMP must be 1");
> + REASON_SET(reason, PFRES_IPOPTIONS);
> + return (PF_DROP);
> + }
> CLR(pd->badopts, PF_OPT_ROUTER_ALERT);
> + }
> /* stop walking over non initial fragments */
> if ((h->ip_off & htons(IP_OFFMASK)) != 0)
> return (PF_PASS);
> @@ -6698,6 +6705,19 @@ pf_walk_header6(struct pf_pdesc *pd, struct ip6_hdr
> *h, u_short *reason)
> case MLD_LISTENER_REPORT:
> case MLD_LISTENER_DONE:
> case MLDV2_LISTENER_REPORT:
> + /*
> + * According to RFC 2710 all MLD messages are
> + * sent with hop-limit (ttl) set to 1, and link
> + * local source address. If either one is
> + * missing then MLD message is invalid and
> + * should be discarded.
> + */
> + if ((h->ip6_hlim != 1) ||
> + !IN6_IS_ADDR_LINKLOCAL(&h->ip6_src)) {
> + DPFPRINTF(LOG_NOTICE, "invalid MLD");
> + REASON_SET(reason, PFRES_IPOPTIONS);
> + return (PF_DROP);
> + }
> CLR(pd->badopts, PF_OPT_ROUTER_ALERT);
> break;
> }
