DF-0264
Unsigned wraparound in p_len when TCP th_off exceeds actual header
Summary
pf_test(:6623) pd.p_len=tot_len-off-(th_off<<2). th_off attacker-controlled. th_off=15 with 20-byte header: subtraction wraps to ~0xFFFFFFxx. Feeds seq tracking end=seq+p_len(:4470) and seqhi window(:4507). State tracking anomaly. pf_normalize_tcp runs AFTER p_len computed. Defense-in-depth.