From 8274d878c0e1ee57563567e2ae8becf75f9143b1 Mon Sep 17 00:00:00 2001
From: Gordon Tetlow <gordon@FreeBSD.org>
Date: Thu, 19 Mar 2020 16:46:01 +0000
Subject: [PATCH] Fix TCP IPv6 SYN cache kernel information disclosure.

Approved by:	so
Security:	FreeBSD-SA-20:04.tcp
Security:	CVE-2020-7451
---
 sys/netinet/tcp_syncache.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 862374af814..2532affa073 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1728,7 +1728,8 @@ syncache_respond(struct syncache *sc, struct syncache_head *sch,
 		ip6->ip6_dst = sc->sc_inc.inc6_faddr;
 		ip6->ip6_plen = htons(tlen - hlen);
 		/* ip6_hlim is set after checksum */
-		ip6->ip6_flow &= ~IPV6_FLOWLABEL_MASK;
+		/* Zero out traffic class and flow label. */
+		ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK;
 		ip6->ip6_flow |= sc->sc_flowlabel;
 
 		th = (struct tcphdr *)(ip6 + 1);
-- 
2.45.0