From 8bc336fba5453fae46de35c841fe63f1c85ec816 Mon Sep 17 00:00:00 2001
From: RoundofThree <zhuoyingjiangli@gmail.com>
Date: Sun, 29 Dec 2024 14:53:12 +0000
Subject: [PATCH 1/4] pf: Disable CHERI subobject bounds in pf_addr

---
 sys/netpfil/pf/pf.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 16cc9c0c8580..7edf65505525 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -296,7 +296,7 @@ struct pf_addr {
 		u_int8_t		addr8[16];
 		u_int16_t		addr16[8];
 		u_int32_t		addr32[4];
-	};		    /* 128-bit address */
+	} __no_subobject_bounds;		    /* 128-bit address */
 };
 
 #define PFI_AFLAG_NETWORK	0x01

From 4d0013ae452e0ec6052ebc7cd63c87984402965c Mon Sep 17 00:00:00 2001
From: RoundofThree <zhuoyingjiangli@gmail.com>
Date: Sun, 29 Dec 2024 14:53:53 +0000
Subject: [PATCH 2/4] pf: Disable CHERI subobject bounds in pf_pdesc

---
 sys/net/pfvar.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 9bd899e9898a..3869c3c5db94 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1598,7 +1598,7 @@ struct pf_pdesc {
 #ifdef INET6
 		struct icmp6_hdr	icmp6;
 #endif /* INET6 */
-		char any[0];
+		char any[0] __no_subobject_bounds;
 	} hdr;
 
 	struct pf_krule	*nat_rule;	/* nat/rdr rule applied to packet */

From f2011182f1d45910fd4c8c84c65513282486c0c4 Mon Sep 17 00:00:00 2001
From: RoundofThree <zhuoyingjiangli@gmail.com>
Date: Sun, 29 Dec 2024 14:54:17 +0000
Subject: [PATCH 3/4] pf: Add a padding to pfioc_qstats_v1 to have a different
 size to pfioc_qstats_v0

The struct sizes are used to generate IOCTL code numbers.
In CHERI purecap, the struct sizes of pfioc_qstats_v1 and
pfioc_qstats_v0 are identical, causing a compile error.
---
 sys/net/pfvar.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 3869c3c5db94..1ff6273b4e08 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1918,6 +1918,7 @@ struct pfioc_qstats_v1 {
 	 * written entirely in terms of the v0 or v1 type.
 	 */
 	u_int32_t	 version;  /* Requested version of stats struct */
+	void	*pad;
 };
 
 /* Latest version of struct pfioc_qstats_vX */

From 29703dab9e68fae927da2a609c3dc02b6424dcad Mon Sep 17 00:00:00 2001
From: RoundofThree <zhuoyingjiangli@gmail.com>
Date: Sun, 29 Dec 2024 14:55:00 +0000
Subject: [PATCH 4/4] pf: Avoid CHERI crashes due to an inocent OOB access of
 to-be-discarded memory

---
 sys/netpfil/pf/pf_norm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 295377bef3e8..7c2802b7b3f6 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1478,10 +1478,10 @@ pf_normalize_tcp(struct pfi_kkif *kif, struct mbuf *m, int ipoff,
 	    (tcp_get_flags(th) & (TH_RES1|TH_RES2|TH_RES2)) != 0) {
 		u_int16_t	ov, nv;
 
-		ov = *(u_int16_t *)(&th->th_ack + 1);
+		ov = *(u_int16_t *)(__unbounded_addressof(th->th_ack) + 1);
 		flags &= ~(TH_RES1 | TH_RES2 | TH_RES3);
 		tcp_set_flags(th, flags);
-		nv = *(u_int16_t *)(&th->th_ack + 1);
+		nv = *(u_int16_t *)(__unbounded_addressof(th->th_ack) + 1);
 
 		th->th_sum = pf_proto_cksum_fixup(m, th->th_sum, ov, nv, 0);
 		rewrite = 1;