From 671f98448e7016569b74af012f30ed59e5c4fc00 Mon Sep 17 00:00:00 2001 From: henning Date: Mon, 10 Sep 2018 15:54:28 +0000 Subject: [PATCH] in pf_syncookie_validate, return early if we don't have syncookies in flight that can possibly match. there is a tiny but existing chance that a sequence number matches w/ our hash and we'd end up dropping traffic. unclear whether that has actually happened since the report chain is long :) report via haesbert via bluhm; ok bluhm --- sys/net/pf_syncookies.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/net/pf_syncookies.c b/sys/net/pf_syncookies.c index bc73aae7bac..d6691b8e935 100644 --- a/sys/net/pf_syncookies.c +++ b/sys/net/pf_syncookies.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_syncookies.c,v 1.6 2018/06/18 11:00:31 procter Exp $ */ +/* $OpenBSD: pf_syncookies.c,v 1.7 2018/09/10 15:54:28 henning Exp $ */ /* Copyright (c) 2016,2017 Henning Brauer * Copyright (c) 2016 Alexandr Nedvedicky @@ -222,8 +222,12 @@ pf_syncookie_validate(struct pf_pdesc *pd) seq = ntohl(pd->hdr.tcp.th_seq) - 1; ack = ntohl(pd->hdr.tcp.th_ack) - 1; cookie.cookie = (ack & 0xff) ^ (ack >> 24); - hash = pf_syncookie_mac(pd, cookie, seq); + /* we don't know oddeven before setting the cookie (union) */ + if (pf_status.syncookies_inflight[cookie.flags.oddeven] == 0) + return (0); + + hash = pf_syncookie_mac(pd, cookie, seq); if ((ack & ~0xff) != (hash & ~0xff)) return (0); -- 2.20.1