K 10
svn:author
V 2
kp
K 8
svn:date
V 27
2019-03-01T18:12:05.903111Z
K 7
svn:log
V 598
MFC r344691:

pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or cause a panic

We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.

Reported by:	Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv
Approved by:	so
Obtained from:	OpenBSD
Security:	CVE-2019-5597

END