upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 00:32:25 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: verify that ABORT chunks are not mixed with DATA chunks

Browse source 
RFC4960 3.3.7: DATA chunks MUST NOT be bundled with ABORT.

MFC after:	2 weeks
Sponsored by:	Orange Business Services
This commit is contained in:
Kristof Provost 2025-01-06 10:06:01 +01:00
parent b2ff4cb193
commit 541ea3d782
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
sys/netpfil/pf/pf_norm.c
View file

@ -2138,6 +2138,14 @@ pf_scan_sctp(struct pf_pdesc *pd)
if ((pd->sctp_flags & PFDESC_SCTP_SHUTDOWN_COMPLETE) &&
(pd->sctp_flags & ~PFDESC_SCTP_SHUTDOWN_COMPLETE))
return (PF_DROP);
if ((pd->sctp_flags & PFDESC_SCTP_ABORT) &&
(pd->sctp_flags & PFDESC_SCTP_DATA)) {
/*
* RFC4960 3.3.7: DATA chunks MUST NOT be
* bundled with ABORT.
*/
return (PF_DROP);
}
return (PF_PASS);
}