From b54c49ee96706252b9b0c2c04915fb136800229a Mon Sep 17 00:00:00 2001 From: henning Date: Mon, 13 Jun 2022 12:48:00 +0000 Subject: [PATCH] fix logic bug in pf_find_state() a state in PFTM_PURGE could potentially hide another state on the same state key that is active and we'd incorrectly block the packet I believe that cannot happen as things are now. ok sashan --- sys/net/pf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sys/net/pf.c b/sys/net/pf.c index 93fe5702625..cff5528294b 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1132 2022/05/23 11:17:35 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1133 2022/06/13 12:48:00 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1133,7 +1133,8 @@ pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key, /* list is sorted, if-bound states before floating ones */ TAILQ_FOREACH(si, &sk->states, entry) - if ((si->s->kif == pfi_all || si->s->kif == pd->kif) && + if (si->s->timeout != PFTM_PURGE && + (si->s->kif == pfi_all || si->s->kif == pd->kif) && ((si->s->key[PF_SK_WIRE]->af == si->s->key[PF_SK_STACK]->af && sk == (pd->dir == PF_IN ? si->s->key[PF_SK_WIRE] : si->s->key[PF_SK_STACK])) || @@ -1144,7 +1145,7 @@ pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key, break; } - if (s == NULL || s->timeout == PFTM_PURGE) + if (s == NULL) return (PF_DROP); if (s->rule.ptr->pktrate.limit && pd->dir == s->direction) { -- 2.20.1