[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-announce
Subject:    OpenBSD errata, Mar 9, 2017
From:       Sebastian Benoit <benno () openbsd ! org>
Date:       2017-03-09 19:15:31
Message-ID: 20170309191531.GF7210 () mail ! webmonster ! de
[Download RAW message or body]

Prevent integer overflow in PF when calculating the adaptive timeout.

Mainly states of established TCP connections whould be affected
resulting in immediate state removal once the numer of states is
bigger than adaptive.start.

Disabling adative timeouts with
  set timeout { adaptive.start 0, adaptive.end 0 }
is a workaround to avoid this bug.

Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)

The problem has been fixed in -current. For 5.9 and 6.0 the following
errata patches are available.

https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/019_pf.patch.sig

https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/036_pf.patch.sig

[prev in list] [next in list] [prev in thread] [next in thread]