The branch stable/14 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=4557b1693a11246d2ae9adcf03bd2a4a35d79aa0
commit 4557b1693a11246d2ae9adcf03bd2a4a35d79aa0
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-01-06 09:06:58 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-01-30 11:00:30 +0000
pf: verify SCTP v_tag before updating connection state
Make it harder to manipulate the firewall state by verifying the v tag
before we
update states.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 4713d2fd5663eb64aa582dabced21d253c901a66)
---
sys/netpfil/pf/pf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 255d85440fa5..15569a294f98 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6200,6 +6200,13 @@ pf_test_state_sctp(struct pf_kstate **state, struct
pfi_kkif *kif,
return (PF_DROP);
}
+ if (src->scrub != NULL) {
+ if (src->scrub->pfss_v_tag == 0) {
+ src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
+ } else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
+ return (PF_DROP);
+ }
+
/* Track state. */
if (pd->sctp_flags & PFDESC_SCTP_INIT) {
if (src->state < SCTP_COOKIE_WAIT) {
@@ -6231,13 +6238,6 @@ pf_test_state_sctp(struct pf_kstate **state, struct
pfi_kkif *kif,
(*state)->timeout = PFTM_SCTP_CLOSED;
}
- if (src->scrub != NULL) {
- if (src->scrub->pfss_v_tag == 0) {
- src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
- } else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
- return (PF_DROP);
- }
-
(*state)->expire = time_uptime;
/* translate source/destination address, if necessary */
