pfsync: reject invalid SCTP states
SCTP states should always have a src scrub object associated with them.
Crafted pfsync packets might not have this, leading to us derferencing a
NULL pointer on cleanup.
Validate the pfsync state insertion packet to make sure this is correct.
PR: 294989
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
@@ -873,6 +873,13 @@ pfsync_state_import(union pfsync_state_union *sp, int flags, int msg_version)
|
||||
(st->act.rtableid >= 0 && st->act.rtableid < rt_numfibs)))
|
||||
goto cleanup;
|
||||
|
||||
if (sks->proto == IPPROTO_SCTP && st->src.scrub == NULL) {
|
||||
if (V_pf_status.debug >= PF_DEBUG_MISC)
|
||||
printf("%s: invalid SCTP state from creator id: %08x\n", __func__,
|
||||
ntohl(sp->pfs_1301.creatorid));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
st->id = sp->pfs_1301.id;
|
||||
st->creatorid = sp->pfs_1301.creatorid;
|
||||
pf_state_peer_ntoh(&sp->pfs_1301.src, &st->src);
|
||||
|
||||
Reference in New Issue
Block a user