On 17.08.2017 06:50, Dewayne Geraghty wrote: > I was about to send to @freebsd-stable until I realised that there are > security implications for folks that may be using this, thinking that > their confidential material is protected, which may not be entirely correct.
Hi,
I think this was broken by me in r275710.
This SYN+ACK packet is sent by syncache code directly when PCB is not
yet created. And due to missing inpcb pointer this packet is considered
as "forwarded" and thus TCP ports are not filled properly for SP lookup.
We can fix this in two ways:
1. Always fill ports. This will add a small extra overhead, but will
solve restriction described in the setkey(8):
NOTE: upperspec does not work in the forwarding case at this
moment, as it requires extra reassembly at forwarding node, which
is not implemented at this moment.
2. Resurrect the flags argument and always fill ports when not forwarding.
What is the best solution?
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
