diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-10-02 08:44:22 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2001-10-02 08:44:22 +0000 |
| commit | 1f945f699c49af4db1bb76afbc71c351a0ac48ec (patch) | |
| tree | de771a929bf6d50a1937365a9d13b64f635d2b6c | |
| parent | 9f7775b09d253e413aa019c46096293709785803 (diff) | |
Convert ip_off of the inner IP header to host order in pf_test_state_icmp().
Some of the IP header fields are already converted by ip_input.c (including
ip_off), but of course not for inner headers of ICMP packets. The other
fields which are left in network order are ok.
This broke state search for any ICMP error message who referred to an IP
header with the DF flag set, hence any ICMP_UNREACH_NEEDFRAG message.
Found by Andreas Gunnarsson <andreas@crt.se>. Thank you.
| -rw-r--r-- | sys/net/pf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index a6057cf1d6d..70a630b0bc6 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.160 2001/09/30 03:49:18 frantzen Exp $ */ +/* $OpenBSD: pf.c,v 1.161 2001/10/02 08:44:21 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3911,7 +3911,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, return (PF_DROP); } /* ICMP error messages don't refer to non-first fragments */ - if (h2.ip_off & IP_OFFMASK) + if (ntohs(h2.ip_off) & IP_OFFMASK) return (PF_DROP); /* offset of protocol header that follows h2 */ |