diff options
| author |   henning <henning@openbsd.org> | 2018-09-10 15:54:28 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2018-09-10 15:54:28 +0000 |
| commit | 671f98448e7016569b74af012f30ed59e5c4fc00 (patch) | |
| tree | a2c946a726a992da73bd969ae643d6ae3f8ebc5e | |
| parent | test all variations of network statements (diff) | |
| download | wireguard-openbsd-671f98448e7016569b74af012f30ed59e5c4fc00.tar.xz wireguard-openbsd-671f98448e7016569b74af012f30ed59e5c4fc00.zip | |
in pf_syncookie_validate, return early if we don't have syncookies in
flight that can possibly match. there is a tiny but existing chance that
a sequence number matches w/ our hash and we'd end up dropping traffic.
unclear whether that has actually happened since the report chain is long :)
report via haesbert via bluhm; ok bluhm
| -rw-r--r-- | sys/net/pf_syncookies.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c index bc73aae7bac..d6691b8e935 100644 --- a/sys/net/pf_syncookies.c +++ b/sys/net/pf_syncookies.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_syncookies.c,v 1.6 2018/06/18 11:00:31 procter Exp $ */ +/* $OpenBSD: pf_syncookies.c,v 1.7 2018/09/10 15:54:28 henning Exp $ */ /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org> * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org> @@ -222,8 +222,12 @@ pf_syncookie_validate(struct pf_pdesc *pd) seq = ntohl(pd->hdr.tcp.th_seq) - 1; ack = ntohl(pd->hdr.tcp.th_ack) - 1; cookie.cookie = (ack & 0xff) ^ (ack >> 24); - hash = pf_syncookie_mac(pd, cookie, seq); + /* we don't know oddeven before setting the cookie (union) */ + if (pf_status.syncookies_inflight[cookie.flags.oddeven] == 0) + return (0); + + hash = pf_syncookie_mac(pd, cookie, seq); if ((ack & ~0xff) != (hash & ~0xff)) return (0); |