Date: Sat, 9 May 2015 19:36:31 +0000 (UTC) From: "George V. Neville-Neil" <gnn@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r282688 - stable/10/sys/netpfil/pf Message-ID: <201505091936.t49JaVNa079658@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gnn Date: Sat May 9 19:36:30 2015 New Revision: 282688 URL: https://svnweb.freebsd.org/changeset/base/282688 Log: MFC: 281529 I can find no reason to allow packets with both SYN and FIN bits set past this point in the code. The packet should be dropped and not massaged as it is here. Differential Revision: https://reviews.freebsd.org/D2266 Submitted by: eri Sponsored by: Rubicon Communications (Netgate) Modified: stable/10/sys/netpfil/pf/pf_norm.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/netpfil/pf/pf_norm.c ============================================================================== --- stable/10/sys/netpfil/pf/pf_norm.c Sat May 9 19:29:55 2015 (r282687) +++ stable/10/sys/netpfil/pf/pf_norm.c Sat May 9 19:36:30 2015 (r282688) @@ -1348,7 +1348,7 @@ pf_normalize_tcp(int dir, struct pfi_kif goto tcp_drop; if (flags & TH_FIN) - flags &= ~TH_FIN; + goto tcp_drop; } else { /* Illegal packet */ if (!(flags & (TH_ACK|TH_RST)))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201505091936.t49JaVNa079658>