From nobody Wed Sep 17 14:15:46 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cRgm240Gtz67SZF; Wed, 17 Sep 2025 14:15:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cRgm21vvTz44YX; Wed, 17 Sep 2025 14:15:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758118546; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1ARxn3zjXhPQ+q8Kqa6rQKgbZl/rhxzHl0MZR1hcxWQ=; b=OcF788h226kCzeRae7zVotnUfHXcTVNuGzwCkAbeM7uTnSjljGbDarhD20RHJeyesSugLq RAy+3rLWL324W3J76/Rz7ZN5b/oBCDQxd4ehLBp5QC0iDW7wijZcvPfCYZP5extdvYnrJK yHUtnI5XNwkaEDjDs03Xgk7+cYjYGvB8YcIRP2wXiT7QEpjw1jhFA7RSC+frwTHO7XQbBe x/BuMTlEpocOgn4DQzkRBFz4ZBNIQqmzkmixN4pA2KLdQP1/mAH0WszkpVXF/72KVw89a4 McqRKpJ4u9q2RLVG2XVuiOaf/VWJE06WzF1y8wpriKQoh5VtbfY+K7EPv6zJmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758118546; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1ARxn3zjXhPQ+q8Kqa6rQKgbZl/rhxzHl0MZR1hcxWQ=; b=ukKbDICj4qpOIu1ApmDR0pu4995a+P/cuR8Ey6JjrGfFzUG5iF3IMHxRbdOjPkYSNNqDNm hAoxG++fyz5VKt6f5FlpaiQUj0nTCsUngZjg1IX4WC78yjkdZFr18fXbdyN4K6VVH+u/N2 NU1es6bpVOPXmDqa1iDTdB8YI4Wzn3bfhHlV1mM6kL08HJNw/9D+68QwzTtCrr2eR9eO+a nXV0DBywkhsTnwdYvIfPX79ZnSjwKU5ECQZyuAVj/e56fCWfmY4AkbTWICG7pZ5WJ6ENEc 8D+bKyKwvCiNMk0+AKY6LNaUaIcq1eUCciUcC1riJpF27GYghRuxc8FXo3fxXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758118546; a=rsa-sha256; cv=none; b=pUFuibj/EaMhF+Ao2XQ6JR9kS4tifMPPi1VO61O1CXjLIUHA9EAI5fgOmdeJbIISeRliCD ixOHrnFQFkJHc0QPHZ5+pbXpHA9yLeSV7h2Ff1zfB5ycnGOCEB6FP4TV8/4tOV274PTyZR pdAyR5gVPfB9u//Sv66CyOvUjt2n5lXp5jiPkdxIa7r9EsyAwm6AM3p4Wa2+aO2Q4Gw82X r65hXyO7/p2sPDIqg4WuzfNX4BOQjAeNHJjr/d4MIvU14ajdMY9Rflb2qjHZwsHJWfQXiO dxRnGHsspC9yIKYp3qdZIa1HeCnhZT0yVUo8Wt8nZKGMGOU9ocCDFobPFIkYhQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cRgm20wYZzTJ3; Wed, 17 Sep 2025 14:15:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58HEFkPb010358; Wed, 17 Sep 2025 14:15:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58HEFkFC010352; Wed, 17 Sep 2025 14:15:46 GMT (envelope-from git) Date: Wed, 17 Sep 2025 14:15:46 GMT Message-Id: <202509171415.58HEFkFC010352@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: fc63421de9f6 - main - pf: allows TCP RST packets in the backwards window if ACK matches List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: fc63421de9f69ed67aad7bae29712fca2f570693 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=fc63421de9f69ed67aad7bae29712fca2f570693 commit fc63421de9f69ed67aad7bae29712fca2f570693 Author: Kristof Provost AuthorDate: 2025-08-25 13:49:22 +0000 Commit: Kristof Provost CommitDate: 2025-09-17 14:15:15 +0000 pf: allows TCP RST packets in the backwards window if ACK matches TCP reset packets are generated for the sequence numbers that have been acknowledged. Our pf(4) is quite strict regarding sequence numbers of reset packets to avoid evil connection drops. It expected exact match and did not allow a sequence window for resets. As pf tracks neither gaps in the sequence space nor the acknowledged data, it does not know where exactly the reset is expected by the TCP stack. Problem was that legit reset packets before a gap but not at the highest sequence numbers were blocked by pf. Solution is to fix pf_tcp_track_full(). Now it allows sequence number windows if the packet has ACK+RST flags set and the acknowlege number matches perfectly. This still prevents reset number guessing by an attacker. Curiously the TCP stack behaves correctly and accepts only resets before the gap. pf only allowed resets after the final data. So any reset was ignored by the system. When the other side processed the challenge ACK, the situation could be fixed. bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles Guette and Pierre Chifflier; OK sashan@ Obtained from: OpenBSD, bluhm , 12e4c257ea Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index aade1d9ace37..2705df61a1f7 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6775,8 +6775,12 @@ pf_tcp_track_full(struct pf_kstate *state, struct pf_pdesc *pd, (ackskew <= (MAXACKWINDOW << sws)) && /* Acking not more than one window forward */ ((tcp_get_flags(th) & TH_RST) == 0 || orig_seq == src->seqlo || - (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) { + (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) || /* Require an exact/+1 sequence match on resets when possible */ + (SEQ_GEQ(orig_seq, src->seqlo - (dst->max_win << dws)) && + SEQ_LEQ(orig_seq, src->seqlo + 1) && ackskew == 0 && + (th->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)))) { + /* Allow resets to match sequence window if ack is perfect match */ if (dst->scrub || src->scrub) { if (pf_normalize_tcp_stateful(pd, reason, th,