From 49f384cb477bd32a4d1e85f0bf9fe7499f6b3e72 Mon Sep 17 00:00:00 2001 From: Eugene Grosbein Date: Wed, 12 Feb 2020 00:31:00 +0000 Subject: [PATCH] ng_nat: avoid panic if attached directly to ng_ether and got short packet From the beginning, ng_nat safely assumed cleansed traffic because of limited ways it could be attached to NETGRAPH: ng_ipfw or ng_ppp only. Now as it may be attached with ng_ether too, the assumption proven wrong. Add needed check to the ng_nat. Thanks for markj for debugging this. PR: 243096 Submitted by: Lutz Donnerhacke Reported by: Robert James Hernandez Reviewed by: markj and others MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D23091 --- sys/netgraph/ng_nat.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/netgraph/ng_nat.c b/sys/netgraph/ng_nat.c index f0784f43ddb..4b6039d3365 100644 --- a/sys/netgraph/ng_nat.c +++ b/sys/netgraph/ng_nat.c @@ -806,11 +806,16 @@ ng_nat_rcvdata(hook_p hook, item_p item ) panic("Corrupted priv->dlt: %u", priv->dlt); } + if (m->m_pkthdr.len < ipofs + sizeof(struct ip)) + goto send; /* packet too short to hold IP */ + c = (char *)mtodo(m, ipofs); ip = (struct ip *)mtodo(m, ipofs); - KASSERT(m->m_pkthdr.len == ipofs + ntohs(ip->ip_len), - ("ng_nat: ip_len != m_pkthdr.len")); + if (ip->ip_v != IPVERSION) + goto send; /* other IP version, let it pass */ + if (m->m_pkthdr.len < ipofs + ntohs(ip->ip_len)) + goto send; /* packet too short (i.e. fragmented or broken) */ /* * We drop packet when: