diff options
| author | dhartmei <dhartmei@FreeBSD.org> | 2007-08-23 09:30:58 +0000 |
|---|---|---|
| committer | dhartmei <dhartmei@FreeBSD.org> | 2007-08-23 09:30:58 +0000 |
| commit | 6853d1aa5a98187fa789b713f33d1418a3a5e4f1 (patch) | |
| tree | 4e11304604344bb92c35c6d1066b16d816170168 /sys/contrib/pf | |
| parent | 77ec65518e7e4b0e811c9af9e1e6769599b428d3 (diff) | |
| download | FreeBSD-src-6853d1aa5a98187fa789b713f33d1418a3a5e4f1.zip FreeBSD-src-6853d1aa5a98187fa789b713f33d1418a3a5e4f1.tar.gz | |
When checking the sequence number of a TCP header embedded in an
ICMP error message, do not access th_flags. The field is beyond
the first eight bytes of the header that are required to be present
and were pulled up in the mbuf.
A random value of th_flags can have TH_SYN set, which made the
sequence number comparison not apply the window scaling factor,
which led to legitimate ICMP(v6) packets getting blocked with
"BAD ICMP" debug log messages (if enabled with pfctl -xm), thus
breaking PMTU discovery.
Triggering the bug requires TCP window scaling to be enabled
(sysctl net.inet.tcp.rfc1323, enabled by default) on both end-
points of the TCP connection. Large scaling factors increase
the probability of triggering the bug.
PR: kern/115413: [ipv6] ipv6 pmtu not working
Tested by: Jacek Zapala
Reviewed by: mlaier
Approved by: re (kensmith)
Diffstat (limited to 'sys/contrib/pf')
| -rw-r--r-- | sys/contrib/pf/net/pf.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/sys/contrib/pf/net/pf.c b/sys/contrib/pf/net/pf.c index 456f705..4d1cd35 100644 --- a/sys/contrib/pf/net/pf.c +++ b/sys/contrib/pf/net/pf.c @@ -5445,8 +5445,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct pfi_kif *kif, dst = &(*state)->dst; } - if (src->wscale && dst->wscale && - !(th.th_flags & TH_SYN)) + if (src->wscale && dst->wscale) dws = dst->wscale & PF_WSCALE_MASK; else dws = 0; |
