git: 4713d2fd5663 - main - pf: verify SCTP v_tag before updating connection state
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 17 Jan 2025 12:06:15 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=4713d2fd5663eb64aa582dabced21d253c901a66
commit 4713d2fd5663eb64aa582dabced21d253c901a66
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-06 09:06:58 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-01-17 08:40:32 +0000
pf: verify SCTP v_tag before updating connection state
Make it harder to manipulate the firewall state by verifying the v tag before we
update states.
MFC after: 2 weeks
Sponsored by: Orange Business Services
---
sys/netpfil/pf/pf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index cfab6a828d5f..7b0ee24965b9 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7149,6 +7149,9 @@ pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd,
return (PF_DROP);
}
+ if (pf_sctp_track(*state, pd, reason) != PF_PASS)
+ return (PF_DROP);
+
/* Track state. */
if (pd->sctp_flags & PFDESC_SCTP_INIT) {
if (src->state < SCTP_COOKIE_WAIT) {
@@ -7180,9 +7183,6 @@ pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd,
(*state)->timeout = PFTM_SCTP_CLOSED;
}
- if (pf_sctp_track(*state, pd, reason) != PF_PASS)
- return (PF_DROP);
-
(*state)->expire = pf_get_uptime();
/* translate source/destination address, if necessary */