upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 00:32:25 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: verify SCTP v_tag before updating connection state

Browse source 
Make it harder to manipulate the firewall state by verifying the v tag before we
update states.

MFC after:	2 weeks
Sponsored by:	Orange Business Services
This commit is contained in:
Kristof Provost 2025-01-06 10:06:58 +01:00
parent 541ea3d782
commit 4713d2fd56
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
sys/netpfil/pf/pf.c
View file

@ -7149,6 +7149,9 @@ pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd,
return (PF_DROP);
}
if (pf_sctp_track(*state, pd, reason) != PF_PASS)
return (PF_DROP);
/* Track state. */
if (pd->sctp_flags & PFDESC_SCTP_INIT) {
if (src->state < SCTP_COOKIE_WAIT) {
@ -7180,9 +7183,6 @@ pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd,
(*state)->timeout = PFTM_SCTP_CLOSED;
}
if (pf_sctp_track(*state, pd, reason) != PF_PASS)
return (PF_DROP);
(*state)->expire = pf_get_uptime();
/* translate source/destination address, if necessary */