BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD errata, Mar 9, 2017

9 March, 2017 by benno@openbsd.org | openbsd 

Prevent integer overflow in PF when calculating the adaptive timeout.

Mainly states of established TCP connections whould be affected
resulting in immediate state removal once the numer of states is
bigger than adaptive.start.

Disabling adative timeouts with
  set timeout { adaptive.start 0, adaptive.end 0 }
is a workaround to avoid this bug.

Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)

The problem has been fixed in -current. For 5.9 and 6.0 the following
errata patches are available.

https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/019_pf.patch.sig

https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/036_pf.patch.sig