From 41ad86f47182ca6823a592f4a2e0397b71ed7263 Mon Sep 17 00:00:00 2001
From: gnn <gnn@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Sat, 9 May 2015 19:36:30 +0000
Subject: [PATCH] MFC: 281529

I can find no reason to allow packets with both SYN and FIN bits
set past this point in the code. The packet should be dropped and
not massaged as it is here.

Differential Revision:  https://reviews.freebsd.org/D2266
Submitted by: eri
Sponsored by: Rubicon Communications (Netgate)


git-svn-id: svn://svn.freebsd.org/base/stable/10@282688 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/netpfil/pf/pf_norm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 883b50029..491d1c2ed 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1348,7 +1348,7 @@ pf_normalize_tcp(int dir, struct pfi_kif *kif, struct mbuf *m, int ipoff,
 			goto tcp_drop;
 
 		if (flags & TH_FIN)
-			flags &= ~TH_FIN;
+			goto tcp_drop;
 	} else {
 		/* Illegal packet */
 		if (!(flags & (TH_ACK|TH_RST)))
-- 
2.45.0