DragonFlyBSD Kernel Audit
← dashboard
DF-0431

Dead expire-scaling code: imported state expiry is always raw attacker value, enabling infinite-lifetime states

Summary

pfsync_state_import(:402-408): expire computed with rule timeout scaling at :402-406 then UNCONDITIONALLY OVERWRITTEN at :408 by st->expire=ntohl(sp->expire)+time_second. Timeout scaling dead code. Attacker sends sp->expire=0xFFFFFFFF -> state lives ~136 years never expires. Persistent authorization + state-table exhaustion. max_states==0(unlimited) checked at :352. Legitimate peers also lose correct timeout.