Page MenuHomeFreeBSD

pf: initial SCTP support
ClosedPublic

Authored by kp on Jul 4 2023, 7:11 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 16, 1:23 AM
Unknown Object (File)
Sun, Dec 8, 5:58 AM
Unknown Object (File)
Thu, Dec 5, 6:26 AM
Unknown Object (File)
Sun, Dec 1, 11:12 AM
Unknown Object (File)
Sun, Nov 24, 1:48 PM
Unknown Object (File)
Nov 21 2024, 2:30 AM
Unknown Object (File)
Nov 19 2024, 6:34 AM
Unknown Object (File)
Nov 19 2024, 5:59 AM

Details

Summary

Basic state tracking for SCTP. This means we scan through the packet to
identify the different chunks (so we can identify state changes).

MFC after: 3 weeks
Sponsored by: Orange Business Services

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp requested review of this revision.Jul 4 2023, 7:11 AM
tuexen added inline comments.
sys/netpfil/pf/pf_norm.c
2026

Does this loop provide a way for a DOS attack? Assume an attacker sends a lot of packets containing, for example, (1500 - 12) / 4 = 372 chunks?

2032

If an attacker sends a chunk with chunk_length == 0, doesn't this results in an endless loop?

2132

The same applies to INIT ACK and SHUTDOWN COMPLETE chunks. Why is this not tested?

Improve validation of INIT chunks

initiate_tag, num_inbound_streams and num_outbound_streams may not be zero.
v_tag must be zero.

Ensure that the INIT chunk is the only chunk in the packet.

  • rebase
  • use sctp_calculate_cksum() via pf_sctp_checksum()
This revision was not accepted when it landed; it landed in state Needs Review.Jul 21 2023, 10:34 AM
Closed by commit rG010ee43f5673: pf: initial SCTP support (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.