pf: verify SCTP v_tag before updating connection state

Make it harder to manipulate the firewall state by verifying the v tag before we update states. MFC after: 2 weeks Sponsored by: Orange Business Services (cherry picked from commit 4713d2fd5663eb64aa582dabced21d253c901a66)
2026-05-28 04:12:45 -04:00 · 2025-01-06 10:06:58 +01:00 · 2025-01-06 10:06:58 +01:00 · efd622d007
commit efd622d007
parent 0f09722c20
1 changed files with 7 additions and 7 deletions
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@ -6227,6 +6227,13 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
 		return (PF_DROP);
 	}

+	if (src->scrub != NULL) {
+		if (src->scrub->pfss_v_tag == 0) {
+			src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
+		} else  if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
+			return (PF_DROP);
+	}
+
 	/* Track state. */
 	if (pd->sctp_flags & PFDESC_SCTP_INIT) {
 		if (src->state < SCTP_COOKIE_WAIT) {
@ -6267,13 +6274,6 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
 		(*state)->timeout = PFTM_SCTP_CLOSED;
 	}

-	if (src->scrub != NULL) {
-		if (src->scrub->pfss_v_tag == 0) {
-			src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
-		} else  if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
-			return (PF_DROP);
-	}
-
 	(*state)->expire = time_uptime;

 	/* translate source/destination address, if necessary */