Date: Tue, 5 Dec 2023 18:34:02 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 1f8724dd18b0 - releng/12.3 - pf: remove incorrect fragmentation check Message-ID: <202312051834.3B5IY2h2026077@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/12.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=1f8724dd18b0d57ccc74086040411bb1f0059be0 commit 1f8724dd18b0d57ccc74086040411bb1f0059be0 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-11-29 18:06:31 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-12-05 18:31:14 +0000 pf: remove incorrect fragmentation check We do not need to check PFDESC_IP_REAS while tracking TCP state. Moreover, this check incorrectly considers no-data packets (e.g. RST) to be in-window when this flag is not set. Sponsored by: Rubicon Communications, LLC ("Netgate") Approved by: so Security: FreeBSD-SA-23:17.pf (cherry picked from commit 6284d5f76d6bd2d97fe287c5adabf59c79688eda) (cherry picked from commit 0415f0554b72b93a1986292d28f679594f6ce6a6) --- sys/netpfil/pf/pf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index dd4c49959a60..cd3403b1bd22 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4477,8 +4477,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, (ackskew <= (MAXACKWINDOW << sws)) && /* Acking not more than one window forward */ ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || - (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) || - (pd->flags & PFDESC_IP_REAS) == 0)) { + (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) { /* Require an exact/+1 sequence match on resets when possible */ if (dst->scrub || src->scrub) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202312051834.3B5IY2h2026077>