untrusted comment: verify with openbsd-63-base.pub

untrusted comment: verify with openbsd-63-base.pub
RWRxzbLwAd76ZeXJ4+O6l1UcypT2D0NY3Vpu/Xf9jtESRHY4PfT07CK/YPYN0EABdBlRgMrrUDNiwQTj9PpOaVUlAuVMpCD2zgc=

OpenBSD 6.3 errata 031, March 22, 2019:

A state in pf could pass ICMP packets to a destination IP address
that did not match the state.

Apply by doing:
signify -Vep /etc/signify/openbsd-63-base.pub -x 031_pficmp.patch.sig \
-m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
KK=`sysctl -n kern.osversion | cut -d# -f1`
cd /usr/src/sys/arch/`machine`/compile/$KK
make obj
make config
make
make install

Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1063
diff -u -p -r1.1063 pf.c
--- sys/net/pf.c 6 Mar 2018 17:35:53 -0000 1.1063
+++ sys/net/pf.c 20 Mar 2019 20:24:15 -0000
@@ -4947,7 +4947,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
u_short *reason)
{
u_int16_t virtual_id, virtual_type;
- u_int8_t icmptype;
+ u_int8_t icmptype, icmpcode;
int icmp_dir, iidx, ret, copyback = 0;

struct pf_state_key_cmp key;
@@ -4955,10 +4955,12 @@ pf_test_state_icmp(struct pf_pdesc *pd,
switch (pd->proto) {
case IPPROTO_ICMP:
icmptype = pd->hdr.icmp.icmp_type;
+ icmpcode = pd->hdr.icmp.icmp_code;
break;
#ifdef INET6
case IPPROTO_ICMPV6:
icmptype = pd->hdr.icmp6.icmp6_type;
+ icmpcode = pd->hdr.icmp6.icmp6_code;
break;
#endif /* INET6 */
default:
@@ -5134,6 +5136,24 @@ pf_test_state_icmp(struct pf_pdesc *pd,
unhandled_af(pd->af);
}

+ if (PF_ANEQ(pd->dst, pd2.src, pd->af)) {
+ if (pf_status.debug >= LOG_NOTICE) {
+ log(LOG_NOTICE,
+ "pf: BAD ICMP %d:%d outer dst: ",
+ icmptype, icmpcode);
+ pf_print_host(pd->src, 0, pd->af);
+ addlog(" -> ");
+ pf_print_host(pd->dst, 0, pd->af);
+ addlog(" inner src: ");
+ pf_print_host(pd2.src, 0, pd2.af);
+ addlog(" -> ");
+ pf_print_host(pd2.dst, 0, pd2.af);
+ addlog("\n");
+ }
+ REASON_SET(reason, PFRES_BADSTATE);
+ return (PF_DROP);
+ }
+
switch (pd2.proto) {
case IPPROTO_TCP: {
struct tcphdr *th = &pd2.hdr.tcp;
@@ -5199,7 +5219,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (pf_status.debug >= LOG_NOTICE) {
log(LOG_NOTICE,
"pf: BAD ICMP %d:%d ",
- icmptype, pd->hdr.icmp.icmp_code);
+ icmptype, icmpcode);
pf_print_host(pd->src, 0, pd->af);
addlog(" -> ");
pf_print_host(pd->dst, 0, pd->af);
@@ -5213,7 +5233,7 @@ pf_test_state_icmp(struct pf_pdesc *pd,
if (pf_status.debug >= LOG_DEBUG) {
log(LOG_DEBUG,
"pf: OK ICMP %d:%d ",
- icmptype, pd->hdr.icmp.icmp_code);
+ icmptype, icmpcode);
pf_print_host(pd->src, 0, pd->af);
addlog(" -> ");
pf_print_host(pd->dst, 0, pd->af);