Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Jan 2025 11:02:02 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 4557b1693a11 - stable/14 - pf: verify SCTP v_tag before updating connection state
Message-ID:  <202501301102.50UB22JX077950@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=4557b1693a11246d2ae9adcf03bd2a4a35d79aa0

commit 4557b1693a11246d2ae9adcf03bd2a4a35d79aa0
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-06 09:06:58 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-01-30 11:00:30 +0000

    pf: verify SCTP v_tag before updating connection state
    
    Make it harder to manipulate the firewall state by verifying the v tag before we
    update states.
    
    MFC after:      2 weeks
    Sponsored by:   Orange Business Services
    
    (cherry picked from commit 4713d2fd5663eb64aa582dabced21d253c901a66)
---
 sys/netpfil/pf/pf.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 255d85440fa5..15569a294f98 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6200,6 +6200,13 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
 		return (PF_DROP);
 	}
 
+	if (src->scrub != NULL) {
+		if (src->scrub->pfss_v_tag == 0) {
+			src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
+		} else  if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
+			return (PF_DROP);
+	}
+
 	/* Track state. */
 	if (pd->sctp_flags & PFDESC_SCTP_INIT) {
 		if (src->state < SCTP_COOKIE_WAIT) {
@@ -6231,13 +6238,6 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
 		(*state)->timeout = PFTM_SCTP_CLOSED;
 	}
 
-	if (src->scrub != NULL) {
-		if (src->scrub->pfss_v_tag == 0) {
-			src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
-		} else  if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
-			return (PF_DROP);
-	}
-
 	(*state)->expire = time_uptime;
 
 	/* translate source/destination address, if necessary */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202501301102.50UB22JX077950>