Date: Thu, 30 Jan 2025 11:02:00 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: fc167e91313c - stable/14 - pf: verify that ABORT chunks are not mixed with DATA chunks Message-ID: <202501301102.50UB20wX077910@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=fc167e91313c7c544119f524ae5cbb2439734352 commit fc167e91313c7c544119f524ae5cbb2439734352 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-01-06 09:06:01 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-01-30 11:00:30 +0000 pf: verify that ABORT chunks are not mixed with DATA chunks RFC4960 3.3.7: DATA chunks MUST NOT be bundled with ABORT. MFC after: 2 weeks Sponsored by: Orange Business Services (cherry picked from commit 541ea3d7828e0ede161ac2d8ef3e8419657ef5cb) --- sys/netpfil/pf/pf_norm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index a92462c53f15..de4df7ebf4de 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -2171,6 +2171,14 @@ pf_scan_sctp(struct mbuf *m, int ipoff, int off, struct pf_pdesc *pd, if ((pd->sctp_flags & PFDESC_SCTP_SHUTDOWN_COMPLETE) && (pd->sctp_flags & ~PFDESC_SCTP_SHUTDOWN_COMPLETE)) return (PF_DROP); + if ((pd->sctp_flags & PFDESC_SCTP_ABORT) && + (pd->sctp_flags & PFDESC_SCTP_DATA)) { + /* + * RFC4960 3.3.7: DATA chunks MUST NOT be + * bundled with ABORT. + */ + return (PF_DROP); + } return (PF_PASS); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202501301102.50UB20wX077910>