diff options
author | Kristof Provost <kp@FreeBSD.org> | 2023-11-29 18:06:31 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2023-12-05 18:19:20 +0000 |
commit | 6284d5f76d6bd2d97fe287c5adabf59c79688eda (patch) | |
tree | 17f4d99e9eee8426099fd6d80a8699abdf4cadab | |
parent | 62d47a4db4579315d7b89002d7de696b44ae1415 (diff) | |
download | src-6284d5f76d6bd2d97fe287c5adabf59c79688eda.tar.gz src-6284d5f76d6bd2d97fe287c5adabf59c79688eda.zip |
pf: remove incorrect fragmentation check
We do not need to check PFDESC_IP_REAS while tracking TCP state.
Moreover, this check incorrectly considers no-data packets (e.g. RST) to
be in-window when this flag is not set.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Approved by: so
Security: FreeBSD-SA-23:17.pf
-rw-r--r-- | sys/netpfil/pf/pf.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 84bd75276af7..e19370cc7333 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5367,8 +5367,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, (ackskew <= (MAXACKWINDOW << sws)) && /* Acking not more than one window forward */ ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || - (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) || - (pd->flags & PFDESC_IP_REAS) == 0)) { + (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) { /* Require an exact/+1 sequence match on resets when possible */ if (dst->scrub || src->scrub) { |