Skip to content

Commit

Permalink
As part of its stateful TCP connection tracking implementation, pf
Browse files Browse the repository at this point in the history
performs sequence number validation on inbound packets.  This makes it
difficult for a would-be attacker to spoof the sender and inject packets
into a TCP stream, since crafted packets must contain sequence numbers
which match the current connection state to avoid being rejected by the
firewall.

A bug in the implementation of sequence number validation means that the
sequence number is not in fact validated, allowing an attacker who is
able to impersonate the remote host and guess the connection's port
numbers to inject packets into the TCP stream.

Obtained from: FreeBSD
  • Loading branch information
laffer1 committed Dec 5, 2023
1 parent 5e0df24 commit fdad4db
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions sys/netpfil/pf/pf.c
Original file line number Diff line number Diff line change
Expand Up @@ -4600,8 +4600,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif,
(ackskew <= (MAXACKWINDOW << sws)) &&
/* Acking not more than one window forward */
((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo ||
(orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) ||
(pd->flags & PFDESC_IP_REAS) == 0)) {
(orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) {
/* Require an exact/+1 sequence match on resets when possible */

if (dst->scrub || src->scrub) {
Expand Down

0 comments on commit fdad4db

Please sign in to comment.