diff options
| author | Karim Fodil-Lemelin <kfl@xiplink.com> | 2024-02-16 01:57:51 +0000 |
|---|---|---|
| committer | John Baldwin <jhb@FreeBSD.org> | 2024-02-16 01:57:51 +0000 |
| commit | 62b1faa3b7495de22a3225e42dabe6ce8c371e86 (patch) | |
| tree | 1b60780ed02753d485f6bd8dadfe68be5590fc1b | |
| parent | feefc3c71e33d8f97879c4889d5cf1ec82e98cd9 (diff) | |
| download | src-62b1faa3b7495de22a3225e42dabe6ce8c371e86.tar.gz src-62b1faa3b7495de22a3225e42dabe6ce8c371e86.zip | |
ipfw: Skip to the start of the loop when following a keep-state rule
When a packet matches an existing dynamic rule for a keep-state rule,
the matching engine advances the "instruction pointer" to the action
portion of the rule skipping over the match conditions. However, the
code was merely breaking out of the switch statement rather than doing
a continue, so the remainder of the loop body after the switch was
still executed. If the first action opcode contains an F_NOT but not
an F_OR (such as an "untag" action), then match is toggled to 0, and
the code exits the inner loop via a break which aborts processing of
the actions.
To fix, just use a continue instead of a break.
PR: 276732
Reviewed by: jhb, ae
MFC after: 2 weeks
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index d2b01fde6944..e43d1a8fbbff 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -2886,8 +2886,7 @@ do { \ cmd = ACTION_PTR(f); l = f->cmd_len - f->act_ofs; cmdlen = 0; - match = 1; - break; + continue; } /* * Dynamic entry not found. If CHECK_STATE, |