Fix a security issue with pf with SCTP packet validations.

laffer1 · laffer1 · commit 376e4d68ecfa · 2026-04-29T22:36:42.000-04:00
Obtained: FreeBSD
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
@@ -5929,7 +5929,7 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif,
 
 static int
 pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
-    struct pfi_kkif *kif, int op)
+    struct pfi_kkif *kif, int op, bool asconf)
 {
 	int			 off = 0;
 	struct pf_sctp_multihome_job	*job;
@@ -6023,13 +6023,16 @@ pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
 			int ret;
 			struct sctp_asconf_paramhdr ah;
 
+			if (asconf)
+				return (PF_DROP);
+
 			if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah),
 			    NULL, NULL, pd->af))
 				return (PF_DROP);
 
 			ret = pf_multihome_scan(m, start + off + sizeof(ah),
 			    ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
-			    SCTP_ADD_IP_ADDRESS);
+			    SCTP_ADD_IP_ADDRESS, true);
 			if (ret != PF_PASS)
 				return (ret);
 			break;
@@ -6038,12 +6041,15 @@ pf_multihome_scan(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
 			int ret;
 			struct sctp_asconf_paramhdr ah;
 
+			if (asconf)
+				return (PF_DROP);
+
 			if (!pf_pull_hdr(m, start + off, &ah, sizeof(ah),
 			    NULL, NULL, pd->af))
 				return (PF_DROP);
 			ret = pf_multihome_scan(m, start + off + sizeof(ah),
 			    ntohs(ah.ph.param_length) - sizeof(ah), pd, kif,
-			    SCTP_DEL_IP_ADDRESS);
+			    SCTP_DEL_IP_ADDRESS, true);
 			if (ret != PF_PASS)
 				return (ret);
 			break;
@@ -6065,7 +6071,8 @@ pf_multihome_scan_init(struct mbuf *m, int start, int len, struct pf_pdesc *pd,
 	start += sizeof(struct sctp_init_chunk);
 	len -= sizeof(struct sctp_init_chunk);
 
-	return (pf_multihome_scan(m, start, len, pd, kif, SCTP_ADD_IP_ADDRESS));
+	return (pf_multihome_scan(m, start, len, pd, kif, SCTP_ADD_IP_ADDRESS,
+	    false));
 }
 
 int
@@ -6075,7 +6082,8 @@ pf_multihome_scan_asconf(struct mbuf *m, int start, int len,
 	start += sizeof(struct sctp_asconf_chunk);
 	len -= sizeof(struct sctp_asconf_chunk);
 
-	return (pf_multihome_scan(m, start, len, pd, kif, SCTP_ADD_IP_ADDRESS));
+	return (pf_multihome_scan(m, start, len, pd, kif, SCTP_ADD_IP_ADDRESS,
+	    false));
 }
 
 int
diff --git a/tests/sys/netpfil/pf/sctp.py b/tests/sys/netpfil/pf/sctp.py
@@ -493,6 +493,96 @@ def test_initiate_tag_check(self):
         assert r.getlayer(sp.SCTPChunkInitAck)
         assert r.getlayer(sp.SCTP).tag == 42
 
+class TestSCTP_SRV(VnetTestTemplate):
+    REQUIRED_MODULES = ["sctp", "pf"]
+    TOPOLOGY = {
+        "vnet1": {"ifaces": ["if1"]},
+        "vnet2": {"ifaces": ["if1"]},
+        "if1": {"prefixes4": [("192.0.2.1/24", "192.0.2.2/24")]},
+    }
+
+    def vnet2_handler(self, vnet):
+        ToolsHelper.print_output("/sbin/pfctl -e")
+        ToolsHelper.pf_rules([
+            "set state-policy if-bound",
+            "pass inet proto sctp",
+            "pass on lo"])
+
+        # Start an SCTP server process, pipe the ppid + data back to the other vnet?
+        srv = SCTPServer(socket.AF_INET, port=1234)
+        while True:
+            srv.accept(vnet)
+
+    @pytest.mark.require_user("root")
+    @pytest.mark.require_progs(["scapy"])
+    def test_initiate_tag_check(self):
+        # Ensure we don't send ABORTs in response to the other end's INIT_ACK
+        # That'd interfere with our test.
+        ToolsHelper.print_output("/sbin/sysctl net.inet.sctp.blackhole=2")
+
+        import scapy.all as sp
+
+        packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \
+            / sp.SCTP(sport=1234, dport=1234) \
+            / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500)
+        packet.show()
+
+        r = sp.sr1(packet, timeout=3)
+        assert r
+        r.show()
+        assert r.getlayer(sp.SCTP)
+        assert r.getlayer(sp.SCTPChunkInitAck)
+        assert r.getlayer(sp.SCTP).tag == 1
+
+        # Send another INIT with the same initiate tag, expect another init ack
+        packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \
+            / sp.SCTP(sport=1234, dport=1234) \
+            / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500)
+        packet.show()
+
+        r = sp.sr1(packet, timeout=3)
+        assert r
+        r.show()
+        assert r.getlayer(sp.SCTP)
+        assert r.getlayer(sp.SCTPChunkInitAck)
+        assert r.getlayer(sp.SCTP).tag == 1
+
+        # Send an INIT with a different initiate tag, expect another init ack
+        packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \
+            / sp.SCTP(sport=1234, dport=1234) \
+            / sp.SCTPChunkInit(init_tag=42, n_in_streams=1, n_out_streams=1, a_rwnd=1500)
+        packet.show()
+
+        r = sp.sr1(packet, timeout=3)
+        assert r
+        r.show()
+        assert r.getlayer(sp.SCTP)
+        assert r.getlayer(sp.SCTPChunkInitAck)
+        assert r.getlayer(sp.SCTP).tag == 42
+
+    @pytest.mark.require_user("root")
+    @pytest.mark.require_progs(["scapy"])
+    def test_too_many_add_ip(self):
+        import scapy.all as sp
+        DEPTH=90
+        params=[]
+        for i in range(0, DEPTH):
+            ch = sp.SCTPChunkParamAddIPAddr(len=(DEPTH - i) * 8)
+            params.append(ch)
+        packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \
+            / sp.SCTP(sport=4321, dport=1234) \
+            / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500,
+                params=params)
+        packet.show()
+        sp.hexdump(packet)
+        print("len %d" % len(packet))
+
+        r = sp.sr1(packet, timeout=3)
+        # We should not get a reply to this
+        if r:
+            r.show()
+        assert not r
+
 class TestSCTPv6(VnetTestTemplate):
     REQUIRED_MODULES = ["sctp", "pf"]
     TOPOLOGY = {
