pf: Prevent integer overflow in PF when calculating the adaptive timeout.
Mainly states of established TCP connections would be affected resulting in immediate state removal once the number of states is bigger than adaptive.start. Disabling adaptive timeouts is a workaround to avoid this bug. Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr) Reported by: Andreas Longwitz <longwitz AT incore.de> Obtained from: OpenBSD MFC after: 2 weeks
This commit is contained in:
parent
7984cba7d7
commit
5b551954ab
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=341833
@ -1567,9 +1567,11 @@ pf_state_expires(const struct pf_state *state)
|
||||
states = V_pf_status.states;
|
||||
}
|
||||
if (end && states > start && start < end) {
|
||||
if (states < end)
|
||||
return (state->expire + timeout * (end - states) /
|
||||
(end - start));
|
||||
if (states < end) {
|
||||
timeout = (u_int64_t)timeout * (end - states) /
|
||||
(end - start);
|
||||
return (state->expire + timeout);
|
||||
}
|
||||
else
|
||||
return (time_uptime);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user