diff options
author | gnn <gnn@FreeBSD.org> | 2015-05-09 19:36:30 +0000 |
---|---|---|
committer | gnn <gnn@FreeBSD.org> | 2015-05-09 19:36:30 +0000 |
commit | b67748dabdd2f445a768d0aa71dd88dd235d2cd7 (patch) | |
tree | 260db2b4d44c89b55022f6896f822cb7b8e9d407 | |
parent | cb8b5d5c8935555e2520215973ce5a598c767b62 (diff) | |
download | FreeBSD-src-b67748dabdd2f445a768d0aa71dd88dd235d2cd7.zip FreeBSD-src-b67748dabdd2f445a768d0aa71dd88dd235d2cd7.tar.gz |
MFC: 281529
I can find no reason to allow packets with both SYN and FIN bits
set past this point in the code. The packet should be dropped and
not massaged as it is here.
Differential Revision: https://reviews.freebsd.org/D2266
Submitted by: eri
Sponsored by: Rubicon Communications (Netgate)
-rw-r--r-- | sys/netpfil/pf/pf_norm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 883b500..491d1c2 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1348,7 +1348,7 @@ pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff, goto tcp_drop; if (flags & TH_FIN) - flags &= ~TH_FIN; + goto tcp_drop; } else { /* Illegal packet */ if (!(flags & (TH_ACK|TH_RST))) |