Date: Tue, 25 Dec 2018 12:45:50 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r342460 - stable/11/sys/netpfil/pf Message-ID: <201812251245.wBPCjoJn017391@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Tue Dec 25 12:45:49 2018 New Revision: 342460 URL: https://svnweb.freebsd.org/changeset/base/342460 Log: MFC r341833: pf: Prevent integer overflow in PF when calculating the adaptive timeout. Mainly states of established TCP connections would be affected resulting in immediate state removal once the number of states is bigger than adaptive.start. Disabling adaptive timeouts is a workaround to avoid this bug. Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr) Reported by: Andreas Longwitz <longwitz AT incore.de> Obtained from: OpenBSD Modified: stable/11/sys/netpfil/pf/pf.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netpfil/pf/pf.c ============================================================================== --- stable/11/sys/netpfil/pf/pf.c Tue Dec 25 12:45:46 2018 (r342459) +++ stable/11/sys/netpfil/pf/pf.c Tue Dec 25 12:45:49 2018 (r342460) @@ -1557,9 +1557,11 @@ pf_state_expires(const struct pf_state *state) states = V_pf_status.states; } if (end && states > start && start < end) { - if (states < end) - return (state->expire + timeout * (end - states) / - (end - start)); + if (states < end) { + timeout = (u_int64_t)timeout * (end - states) / + (end - start); + return (state->expire + timeout); + } else return (time_uptime); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812251245.wBPCjoJn017391>