DragonFlyBSD Kernel Audit
← dashboard
DF-0430

Unauthenticated PFSYNC_ACT_CLR/DEL/DEL_C let attacker mass-destroy arbitrary pf state across all CPUs

Summary

PFSYNC_ACT_CLR(:542-608): reads attacker creatorid, ifname[0]==0 walks tree_id[] on every CPU pf_unlink_state matching creatorid(:561-574); non-empty ifname walks pf_statetbl[](:584-601). CLR creatorid==0 accepted unconditionally. PFSYNC_ACT_DEL(:749) and DEL_C(:873) unlink individual states by attacker id/creatorid. No source auth (DF-0428). Remote attacker mass-deletes firewall state -> tear down all tracked connections (availability), selectively kill specific flows to manipulate ruleset re-eval (integrity). HA pair desync.