CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2025/05/30 07:08:07
Modified files:
sys/net : pf.c
Log message:
pf(4) allows TCP RST packets in the backwards window if ACK matches.
TCP reset packets are generated for the sequence numbers that have
been acknowledged. Our pf(4) is quite strict regarding sequence
numbers of reset packets to avoid evil connection drops. It expected
exact match and did not allow a sequence window for resets. As pf
tracks neither gaps in the sequence space nor the acknowledged data,
it does not know where exactly the reset is expected by the TCP
stack.
Problem was that legit reset packets before a gap but not at the
highest sequence numbers were blocked by pf. Solution is to fix
pf_tcp_track_full(). Now it allows sequence number windows if the
packet has ACK+RST flags set and the acknowlege number matches
perfectly. This still prevents reset number guessing by an attacker.
Curiously the TCP stack behaves correctly and accepts only resets
before the gap. pf only allowed resets after the final data. So
any reset was ignored by the system. When the other side processed
the challenge ACK, the situation could be fixed.
bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles
Guette and Pierre Chifflier; OK sashan@
