mirror of
https://github.com/opnsense/src.git
synced 2026-06-11 01:30:30 -04:00
ipfw: Skip to the start of the loop when following a keep-state rule
When a packet matches an existing dynamic rule for a keep-state rule,
the matching engine advances the "instruction pointer" to the action
portion of the rule skipping over the match conditions. However, the
code was merely breaking out of the switch statement rather than doing
a continue, so the remainder of the loop body after the switch was
still executed. If the first action opcode contains an F_NOT but not
an F_OR (such as an "untag" action), then match is toggled to 0, and
the code exits the inner loop via a break which aborts processing of
the actions.
To fix, just use a continue instead of a break.
PR: 276732
Reviewed by: jhb, ae
MFC after: 2 weeks
(cherry picked from commit 62b1faa3b7)
This commit is contained in:
Karim Fodil-Lemelin
John Baldwin
parent
0090752521
commit
d2c8cb41d1
1 changed files with 1 additions and 2 deletions
|
|
@ -2886,8 +2886,7 @@ do { \
|
|||
cmd = ACTION_PTR(f);
|
||||
l = f->cmd_len - f->act_ofs;
|
||||
cmdlen = 0;
|
||||
match = 1;
|
||||
break;
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
* Dynamic entry not found. If CHECK_STATE,
|
||||
|
|
|
|||
Loading…
Reference in a new issue