git: 6284d5f76d6b - main - pf: remove incorrect fragmentation check
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 Dec 2023 18:24:18 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=6284d5f76d6bd2d97fe287c5adabf59c79688eda
commit 6284d5f76d6bd2d97fe287c5adabf59c79688eda
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-11-29 18:06:31 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-12-05 18:19:20 +0000
pf: remove incorrect fragmentation check
We do not need to check PFDESC_IP_REAS while tracking TCP state.
Moreover, this check incorrectly considers no-data packets (e.g. RST) to
be in-window when this flag is not set.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Approved by: so
Security: FreeBSD-SA-23:17.pf
---
sys/netpfil/pf/pf.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 84bd75276af7..e19370cc7333 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5367,8 +5367,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif,
(ackskew <= (MAXACKWINDOW << sws)) &&
/* Acking not more than one window forward */
((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
- (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) ||
- (pd->flags & PFDESC_IP_REAS) == 0)) {
+ (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) {
/* Require an exact/+1 sequence match on resets when possible */
if (dst->scrub || src->scrub) {