git: f0327f9d86aa - releng/12.4 - pf: remove incorrect fragmentation check
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 Dec 2023 18:37:51 UTC
The branch releng/12.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f0327f9d86aa54ab6de42ca7694899b97064bde7 commit f0327f9d86aa54ab6de42ca7694899b97064bde7 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-11-29 18:06:31 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-12-05 18:36:44 +0000 pf: remove incorrect fragmentation check We do not need to check PFDESC_IP_REAS while tracking TCP state. Moreover, this check incorrectly considers no-data packets (e.g. RST) to be in-window when this flag is not set. Sponsored by: Rubicon Communications, LLC ("Netgate") Approved by: so Security: FreeBSD-SA-23:17.pf (cherry picked from commit 6284d5f76d6bd2d97fe287c5adabf59c79688eda) (cherry picked from commit 0415f0554b72b93a1986292d28f679594f6ce6a6) --- sys/netpfil/pf/pf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 0a6928e3d4eb..eeb4a2c1cc78 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4601,8 +4601,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, (ackskew <= (MAXACKWINDOW << sws)) && /* Acking not more than one window forward */ ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || - (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) || - (pd->flags & PFDESC_IP_REAS) == 0)) { + (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) { /* Require an exact/+1 sequence match on resets when possible */ if (dst->scrub || src->scrub) {