CVE-2018-17156 Ping vulnerability? Is Opnsense affected?

[zaggynl]

Details in here: https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/

[lattera]

FreeBSD 11.1, which OPNsense is currently based on, is not affected when the sysctl nodes have been left to their default values.

The soon-to-be-released FreeBSD 12.0 was affected (along with 13-CURRENT). I'm paying attention to how this folds out and will keep you updated should anything change.

[lattera]

I should clarify that OPNsense is not affected by the ICMP issue when the net.inet.icmp.quotelen sysctl node is kept at its default value of 8.

Details are scarce regarding the net.inet.ip.maxfragsperpacket sysctl node and the code that uses it. It would be good to see a security audit of these older networking bits of code.

In HardenedBSD 13-CURRENT, I've defaulted both those sysctl nodes to the values recommended in that Reddit post: https://github.com/HardenedBSD/hardenedBSD/commit/d60f241d77eb286179aa25bc58a99b55833b2d10

[zaggynl]

Thank you, good to hear.