[Midnightbsd-cvs] [MidnightBSD/src] fdad4d: As part of its stateful TCP connection tracking im...
Lucas Holt
noreply at github.com
Tue Dec 5 17:26:57 EST 2023
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/src
Commit: fdad4db40e18678181120a1b3361f0665213683f
https://github.com/MidnightBSD/src/commit/fdad4db40e18678181120a1b3361f0665213683f
Author: Lucas Holt <luke at foolishgames.com>
Date: 2023-12-05 (Tue, 05 Dec 2023)
Changed paths:
M sys/netpfil/pf/pf.c
Log Message:
-----------
As part of its stateful TCP connection tracking implementation, pf
performs sequence number validation on inbound packets. This makes it
difficult for a would-be attacker to spoof the sender and inject packets
into a TCP stream, since crafted packets must contain sequence numbers
which match the current connection state to avoid being rejected by the
firewall.
A bug in the implementation of sequence number validation means that the
sequence number is not in fact validated, allowing an attacker who is
able to impersonate the remote host and guess the connection's port
numbers to inject packets into the TCP stream.
Obtained from: FreeBSD
More information about the Midnightbsd-cvs
mailing list