diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2022-06-13 12:48:01 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2022-06-13 12:48:01 +0000 |
commit | a7c2b2a18f08f018de81ca3ef214fcd81b77ace5 (patch) | |
tree | d97ad0614c54d2b0f24ab283710994741f1723e1 | |
parent | 4414f27f76d3dde5c991c6114523d835347ee583 (diff) |
fix logic bug in pf_find_state()
a state in PFTM_PURGE could potentially hide another state on the same state
key that is active and we'd incorrectly block the packet
I believe that cannot happen as things are now.
ok sashan
-rw-r--r-- | sys/net/pf.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 93fe5702625..cff5528294b 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1132 2022/05/23 11:17:35 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1133 2022/06/13 12:48:00 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1133,7 +1133,8 @@ pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key, /* list is sorted, if-bound states before floating ones */ TAILQ_FOREACH(si, &sk->states, entry) - if ((si->s->kif == pfi_all || si->s->kif == pd->kif) && + if (si->s->timeout != PFTM_PURGE && + (si->s->kif == pfi_all || si->s->kif == pd->kif) && ((si->s->key[PF_SK_WIRE]->af == si->s->key[PF_SK_STACK]->af && sk == (pd->dir == PF_IN ? si->s->key[PF_SK_WIRE] : si->s->key[PF_SK_STACK])) || @@ -1144,7 +1145,7 @@ pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key, break; } - if (s == NULL || s->timeout == PFTM_PURGE) + if (s == NULL) return (PF_DROP); if (s->rule.ptr->pktrate.limit && pd->dir == s->direction) { |