pf tests: test IPv6 fragmentation with link-local addresses

We've observed a panic after pf_refragment6() with link-local addresses, because pf_refragment6() calls ip6_forward() even for a simple output case. That results in us entering ip6_forward() with an mbuf with a NULL m->m_pkthdr.rcvif, which can cause a NULL deref (but seemingly not for GUAs. Test sending fragmented link-local packets to pf. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D39063 (cherry picked from commit 225e85513f)
2023-03-12 16:08:31 +01:00 · 2023-03-12 16:08:31 +01:00 · 87b8226c7b
parent 17fe4735f5
commit 87b8226c7b
1 changed files with 10 additions and 0 deletions
--- a/tests/sys/netpfil/pf/fragmentation.sh
+++ b/tests/sys/netpfil/pf/fragmentation.sh
@ -102,6 +102,10 @@ v6_body()
 	jexec singsing ifconfig ${epair_link}b inet6 -ifdisabled
 	ifconfig ${epair_send}a inet6 -ifdisabled

+	ifconfig ${epair_send}a
+	jexec alcatraz ifconfig ${epair_send}b
+	lladdr=$(jexec alcatraz ifconfig ${epair_send}b | awk '/ scopeid / { print($2); }' | cut -f 1 -d %)
+
 	jexec alcatraz pfctl -e
 	pft_set_rules alcatraz \
 		"scrub fragment reassemble" \
@ -120,6 +124,12 @@ v6_body()
 	atf_check -s exit:0 -o ignore\
 		ping -6 -c 1 -b 70000 -s 65000 2001:db8:42::2

+	# Force an NDP lookup
+	ping -6 -c 1 ${lladdr}%${epair_send}a
+
+	atf_check -s exit:0 -o ignore\
+		ping -6 -c 1 -b 70000 -s 65000 ${lladdr}%${epair_send}a
+
 	# Forwarding test
 	atf_check -s exit:0 -o ignore \
 		ping -6 -c 1 2001:db8:43::3