upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-29 10:59:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: remove incorrect fragmentation check

Browse source 
We do not need to check PFDESC_IP_REAS while tracking TCP state.
Moreover, this check incorrectly considers no-data packets (e.g. RST) to
be in-window when this flag is not set.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
Approved by:	so
Security:	FreeBSD-SA-23:17.pf
This commit is contained in:
Kristof Provost 2023-11-29 19:06:31 +01:00 committed by Mark Johnston
parent 62d47a4db4
commit 6284d5f76d
1 changed files with 1 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
sys/netpfil/pf/pf.c
View file

@ -5367,8 +5367,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif,
(ackskew <= (MAXACKWINDOW << sws)) &&
/* Acking not more than one window forward */
((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
(orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) ||
(pd->flags & PFDESC_IP_REAS) == 0)) {
(orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) {
/* Require an exact/+1 sequence match on resets when possible */
if (dst->scrub || src->scrub) {