Date: Tue, 11 Dec 2018 21:44:39 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r341833 - head/sys/netpfil/pf Message-ID: <201812112144.wBBLidco038810@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Tue Dec 11 21:44:39 2018 New Revision: 341833 URL: https://svnweb.freebsd.org/changeset/base/341833 Log: pf: Prevent integer overflow in PF when calculating the adaptive timeout. Mainly states of established TCP connections would be affected resulting in immediate state removal once the number of states is bigger than adaptive.start. Disabling adaptive timeouts is a workaround to avoid this bug. Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr) Reported by: Andreas Longwitz <longwitz AT incore.de> Obtained from: OpenBSD MFC after: 2 weeks Modified: head/sys/netpfil/pf/pf.c Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Tue Dec 11 21:16:09 2018 (r341832) +++ head/sys/netpfil/pf/pf.c Tue Dec 11 21:44:39 2018 (r341833) @@ -1567,9 +1567,11 @@ pf_state_expires(const struct pf_state *state) states = V_pf_status.states; } if (end && states > start && start < end) { - if (states < end) - return (state->expire + timeout * (end - states) / - (end - start)); + if (states < end) { + timeout = (u_int64_t)timeout * (end - states) / + (end - start); + return (state->expire + timeout); + } else return (time_uptime); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812112144.wBBLidco038810>