pf: improve ASCONF chunk validation

When processing an ASCONF chunk we failed to verify that the chunk
length was at least 8 bytes. As a result we might end up passing a
negative length to pf_multihome_scan(). Fortunately this merely meant
the function did nothing, but we should discard such invalid packets, so
explicitly check for this.

MFC after:	1 week
Reported by:	Mark Johnston
Sponsored by:	Orange Business Services
This commit is contained in:
Kristof Provost
2026-04-28 10:54:24 +02:00
parent 7c450d1127
commit bea1c2fcd7
+7
View File
@@ -8462,6 +8462,9 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op)
NULL, pd->af))
return (PF_DROP);
if (ntohs(ah.ph.param_length) < sizeof(ah))
return (PF_DROP);
ret = pf_multihome_scan(start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_ADD_IP_ADDRESS);
@@ -8476,6 +8479,10 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op)
if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
NULL, pd->af))
return (PF_DROP);
if (ntohs(ah.ph.param_length) < sizeof(ah))
return (PF_DROP);
ret = pf_multihome_scan(start + off + sizeof(ah),
ntohs(ah.ph.param_length) - sizeof(ah), pd,
SCTP_DEL_IP_ADDRESS);