Author: gnn Date: Tue Apr 14 14:43:42 2015 New Revision: 281529 URL: https://svnweb.freebsd.org/changeset/base/281529
Log: I can find no reason to allow packets with both SYN and FIN bits set past this point in the code. The packet should be dropped and not massaged as it is here. Differential Revision: https://reviews.freebsd.org/D2266 Submitted by: eri Sponsored by: Rubicon Communications (Netgate) Modified: head/sys/netpfil/pf/pf_norm.c Modified: head/sys/netpfil/pf/pf_norm.c ============================================================================== --- head/sys/netpfil/pf/pf_norm.c Tue Apr 14 14:22:34 2015 (r281528) +++ head/sys/netpfil/pf/pf_norm.c Tue Apr 14 14:43:42 2015 (r281529) @@ -1643,7 +1643,7 @@ pf_normalize_tcp(int dir, struct pfi_kif goto tcp_drop; if (flags & TH_FIN) - flags &= ~TH_FIN; + goto tcp_drop; } else { /* Illegal packet */ if (!(flags & (TH_ACK|TH_RST))) _______________________________________________ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
