in pf_syncookie_validate, return early if we don't have syncookies in

flight that can possibly match. there is a tiny but existing chance that
a sequence number matches w/ our hash and we'd end up dropping traffic.
unclear whether that has actually happened since the report chain is long :)
report via haesbert via bluhm; ok bluhm

diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c
index bc73aae..d6691b8 100644 (file)
--- a/sys/net/pf_syncookies.c
+++ b/sys/net/pf_syncookies.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf_syncookies.c,v 1.6 2018/06/18 11:00:31 procter Exp $ */
+/*     $OpenBSD: pf_syncookies.c,v 1.7 2018/09/10 15:54:28 henning Exp $ */
 
 /* Copyright (c) 2016,2017 Henning Brauer <henning@openbsd.org>
  * Copyright (c) 2016 Alexandr Nedvedicky <sashan@openbsd.org>
@@ -222,8 +222,12 @@ pf_syncookie_validate(struct pf_pdesc *pd)
        seq = ntohl(pd->hdr.tcp.th_seq) - 1;
        ack = ntohl(pd->hdr.tcp.th_ack) - 1;
        cookie.cookie = (ack & 0xff) ^ (ack >> 24);
-       hash = pf_syncookie_mac(pd, cookie, seq);
 
+       /* we don't know oddeven before setting the cookie (union) */
+       if (pf_status.syncookies_inflight[cookie.flags.oddeven] == 0)
+               return (0);
+
+       hash = pf_syncookie_mac(pd, cookie, seq);
        if ((ack & ~0xff) != (hash & ~0xff))
                return (0);