summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2022-06-13 12:48:01 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2022-06-13 12:48:01 +0000
commita7c2b2a18f08f018de81ca3ef214fcd81b77ace5 (patch)
treed97ad0614c54d2b0f24ab283710994741f1723e1
parent4414f27f76d3dde5c991c6114523d835347ee583 (diff)
fix logic bug in pf_find_state()
a state in PFTM_PURGE could potentially hide another state on the same state key that is active and we'd incorrectly block the packet I believe that cannot happen as things are now. ok sashan
-rw-r--r--sys/net/pf.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 93fe5702625..cff5528294b 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.1132 2022/05/23 11:17:35 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.1133 2022/06/13 12:48:00 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1133,7 +1133,8 @@ pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
/* list is sorted, if-bound states before floating ones */
TAILQ_FOREACH(si, &sk->states, entry)
- if ((si->s->kif == pfi_all || si->s->kif == pd->kif) &&
+ if (si->s->timeout != PFTM_PURGE &&
+ (si->s->kif == pfi_all || si->s->kif == pd->kif) &&
((si->s->key[PF_SK_WIRE]->af == si->s->key[PF_SK_STACK]->af
&& sk == (pd->dir == PF_IN ? si->s->key[PF_SK_WIRE] :
si->s->key[PF_SK_STACK])) ||
@@ -1144,7 +1145,7 @@ pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
break;
}
- if (s == NULL || s->timeout == PFTM_PURGE)
+ if (s == NULL)
return (PF_DROP);
if (s->rule.ptr->pktrate.limit && pd->dir == s->direction) {