D46929.diff
No OneTemporary
Actions

Size

1 KB

Referenced Files

None

Subscribers

None

D46929.diff
View Options

	diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
	--- a/sys/netpfil/pf/pf.c
	+++ b/sys/netpfil/pf/pf.c
	@@ -7342,6 +7342,11 @@
	case IPPROTO_ICMP: {
	struct icmp *iih = &pd2.hdr.icmp;

	+ if (pd2.af != AF_INET) {
	+ REASON_SET(reason, PFRES_NORM);
	+ return (PF_DROP);
	+ }
	+
	if (!pf_pull_hdr(m, off2, iih, ICMP_MINLEN,
	NULL, reason, pd2.af)) {
	DPFPRINTF(PF_DEBUG_MISC,
	@@ -7400,6 +7405,11 @@
	case IPPROTO_ICMPV6: {
	struct icmp6_hdr *iih = &pd2.hdr.icmp6;

	+ if (pd2.af != AF_INET6) {
	+ REASON_SET(reason, PFRES_NORM);
	+ return (PF_DROP);
	+ }
	+
	if (!pf_pull_hdr(m, off2, iih,
	sizeof(struct icmp6_hdr), NULL, reason, pd2.af)) {
	DPFPRINTF(PF_DEBUG_MISC,
	@@ -9201,6 +9211,7 @@
	case IPPROTO_ICMP: {
	if (af != AF_INET) {
	action = PF_DROP;
	+ REASON_SET(&reason, PFRES_NORM);
	DPFPRINTF(PF_DEBUG_MISC,
	("dropping IPv6 packet with ICMPv4 payload"));
	goto done;
	@@ -9220,6 +9231,7 @@
	case IPPROTO_ICMPV6: {
	if (af != AF_INET6) {
	action = PF_DROP;
	+ REASON_SET(&reason, PFRES_NORM);
	DPFPRINTF(PF_DEBUG_MISC,
	("pf: dropping IPv4 packet with ICMPv6 payload\n"));
	goto done;