Skip to content

Commit

Permalink
pf: verify SCTP v_tag before updating connection state
Browse files Browse the repository at this point in the history 
Make it harder to manipulate the firewall state by verifying the v tag before we
update states.

MFC after:	2 weeks
Sponsored by:	Orange Business Services

(cherry picked from commit 4713d2fd5663eb64aa582dabced21d253c901a66)
  • Loading branch information
@kprovost @fichtner
kprovost authored and fichtner committed Feb 18, 2025
1 parent 0f09722 commit efd622d
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions sys/netpfil/pf/pf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6227,6 +6227,13 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
return (PF_DROP);
}

if (src->scrub != NULL) {
if (src->scrub->pfss_v_tag == 0) {
src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
} else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
return (PF_DROP);
}

/* Track state. */
if (pd->sctp_flags & PFDESC_SCTP_INIT) {
if (src->state < SCTP_COOKIE_WAIT) {
Expand Down Expand Up @@ -6267,13 +6274,6 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
(*state)->timeout = PFTM_SCTP_CLOSED;
}

if (src->scrub != NULL) {
if (src->scrub->pfss_v_tag == 0) {
src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
} else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
return (PF_DROP);
}

(*state)->expire = time_uptime;

/* translate source/destination address, if necessary */
Expand Down

0 comments on commit efd622d

Please sign in to comment.