HomeFreeBSD

MFC r322750:

Description

MFC r322750:

Fix the regression introduced in r275710.

When a security policy should match TCP connection with specific ports,
the SYN+ACK segment send by syncache_respond() is considered as forwarded
packet, because at this moment TCP connection does not have PCB structure,
and ip_output() is called without inpcb pointer. In this case SPIDX filled
for SP lookup will not contain TCP ports and security policy will not
be found. This can lead to unencrypted SYN+ACK on the wire.

This patch restores the old behavior, when ports will not be filled only
for forwarded packets.

Reported by:	Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au>

MFC r322751:

Remove stale comments.

Details

Committed
aeAug 28 2017, 10:02 AM
Parents
rS322965: Make _Static_assert() work with GCC in older C++ standards.
Branches
Unknown
Tags
Unknown