pfsync: reject invalid SCTP states

SCTP states should always have a src scrub object associated with them.
Crafted pfsync packets might not have this, leading to us derferencing a
NULL pointer on cleanup.

Validate the pfsync state insertion packet to make sure this is correct.

PR:		294989
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2026-05-04 18:08:35 +02:00
parent 6f84579ae4
commit bf6d00afdb
+7
View File
@@ -873,6 +873,13 @@ pfsync_state_import(union pfsync_state_union *sp, int flags, int msg_version)
(st->act.rtableid >= 0 && st->act.rtableid < rt_numfibs)))
goto cleanup;
if (sks->proto == IPPROTO_SCTP && st->src.scrub == NULL) {
if (V_pf_status.debug >= PF_DEBUG_MISC)
printf("%s: invalid SCTP state from creator id: %08x\n", __func__,
ntohl(sp->pfs_1301.creatorid));
goto cleanup;
}
st->id = sp->pfs_1301.id;
st->creatorid = sp->pfs_1301.creatorid;
pf_state_peer_ntoh(&sp->pfs_1301.src, &st->src);