OPNSense/src 9cae629sys/netpfil/pf pf_norm.c

pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic

We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.

Security:       CVE-2019-5597
Obtained from:  OpenBSD
Reported by:    Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
DeltaFile
+2-2sys/netpfil/pf/pf_norm.c
+2-21 files

UnifiedSplitRaw