pf: verify that ABORT chunks are not mixed with DATA chunks

RFC4960 3.3.7: DATA chunks MUST NOT be bundled with ABORT. MFC after: 2 weeks Sponsored by: Orange Business Services
jlduran · Jan 17, 2025 · 541ea3d · 541ea3d
1 parent b2ff4cb
commit 541ea3d
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
@@ -2138,6 +2138,14 @@ pf_scan_sctp(struct pf_pdesc *pd)
 	if ((pd->sctp_flags & PFDESC_SCTP_SHUTDOWN_COMPLETE) &&
 	    (pd->sctp_flags & ~PFDESC_SCTP_SHUTDOWN_COMPLETE))
 		return (PF_DROP);
+	if ((pd->sctp_flags & PFDESC_SCTP_ABORT) &&
+	    (pd->sctp_flags & PFDESC_SCTP_DATA)) {
+		/*
+		 * RFC4960 3.3.7: DATA chunks MUST NOT be
+		 * bundled with ABORT.
+		 */
+		return (PF_DROP);
+	}
 
 	return (PF_PASS);
 }