svn commit: r281529 - head/sys/netpfil/pf
George V. Neville-Neil
gnn at FreeBSD.org
Tue Apr 14 14:43:43 UTC 2015
Author: gnn
Date: Tue Apr 14 14:43:42 2015
New Revision: 281529
URL: https://svnweb.freebsd.org/changeset/base/281529
Log:
I can find no reason to allow packets with both SYN and FIN bits
set past this point in the code. The packet should be dropped and
not massaged as it is here.
Differential Revision: https://reviews.freebsd.org/D2266
Submitted by: eri
Sponsored by: Rubicon Communications (Netgate)
Modified:
head/sys/netpfil/pf/pf_norm.c
Modified: head/sys/netpfil/pf/pf_norm.c
==============================================================================
--- head/sys/netpfil/pf/pf_norm.c Tue Apr 14 14:22:34 2015 (r281528)
+++ head/sys/netpfil/pf/pf_norm.c Tue Apr 14 14:43:42 2015 (r281529)
@@ -1643,7 +1643,7 @@ pf_normalize_tcp(int dir, struct pfi_kif
goto tcp_drop;
if (flags & TH_FIN)
- flags &= ~TH_FIN;
+ goto tcp_drop;
} else {
/* Illegal packet */
if (!(flags & (TH_ACK|TH_RST)))
More information about the svn-src-all
mailing list