I can find no reason to allow packets with both SYN and FIN bits
set past this point in the code. The packet should be dropped and not massaged as it is here. Differential Revision: https://reviews.freebsd.org/D2266 Submitted by: eri Sponsored by: Rubicon Communications (Netgate)
This commit is contained in:
parent
de9078cbfa
commit
be303b042b
@ -1643,7 +1643,7 @@ pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff,
|
||||
goto tcp_drop;
|
||||
|
||||
if (flags & TH_FIN)
|
||||
flags &= ~TH_FIN;
|
||||
goto tcp_drop;
|
||||
} else {
|
||||
/* Illegal packet */
|
||||
if (!(flags & (TH_ACK|TH_RST)))
|
||||
|
Loading…
Reference in New Issue
Block a user