svn commit: r282688 - stable/10/sys/netpfil/pf
George V. Neville-Neil
gnn at FreeBSD.org
Sat May 9 19:36:31 UTC 2015
Author: gnn
Date: Sat May 9 19:36:30 2015
New Revision: 282688
URL: https://svnweb.freebsd.org/changeset/base/282688
Log:
MFC: 281529
I can find no reason to allow packets with both SYN and FIN bits
set past this point in the code. The packet should be dropped and
not massaged as it is here.
Differential Revision: https://reviews.freebsd.org/D2266
Submitted by: eri
Sponsored by: Rubicon Communications (Netgate)
Modified:
stable/10/sys/netpfil/pf/pf_norm.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_norm.c Sat May 9 19:29:55 2015 (r282687)
+++ stable/10/sys/netpfil/pf/pf_norm.c Sat May 9 19:36:30 2015 (r282688)
@@ -1348,7 +1348,7 @@ pf_normalize_tcp(int dir, struct pfi_kif
goto tcp_drop;
if (flags & TH_FIN)
- flags &= ~TH_FIN;
+ goto tcp_drop;
} else {
/* Illegal packet */
if (!(flags & (TH_ACK|TH_RST)))
More information about the svn-src-stable
mailing list