DF-0432
Crafted PFSYNC_ACT_BUS endtime prematurely marks pfsync_sync_ok: HA-status spoofing
Summary
PFSYNC_ACT_BUS status PFSYNC_BUS_END(:974): evaluates time_seconds-ntohl(bus->endtime)>=sc_ureq_sent. bus->endtime fully attacker-controlled u32. Choose value so subtraction>=stored timestamp -> success branch: sc_ureq_sent=0, pfsync_sync_ok=1, CARP un-demoted(:982-989). Premature sync-ok without real state sync. Requires sc_ureq_sent!=0 (bulk pending). On-link attacker spoofs completion handshake.