In some cases, the tcp-setmss handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.
Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the tcp-setmss directive is used and a subsequent rule would allow the traffic to pass.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 13.5 (including) | 13.5 (including) |
| Freebsd | Freebsd | 13.5-p1 (including) | 13.5-p1 (including) |
| Freebsd | Freebsd | 13.5-p2 (including) | 13.5-p2 (including) |
| Freebsd | Freebsd | 13.5-p3 (including) | 13.5-p3 (including) |
| Freebsd | Freebsd | 13.5-p4 (including) | 13.5-p4 (including) |
| Freebsd | Freebsd | 13.5-p5 (including) | 13.5-p5 (including) |
| Freebsd | Freebsd | 13.5-p6 (including) | 13.5-p6 (including) |
| Freebsd | Freebsd | 13.5-p7 (including) | 13.5-p7 (including) |
| Freebsd | Freebsd | 14.3 (including) | 14.3 (including) |
| Freebsd | Freebsd | 14.3-p1 (including) | 14.3-p1 (including) |
| Freebsd | Freebsd | 14.3-p2 (including) | 14.3-p2 (including) |
| Freebsd | Freebsd | 14.3-p3 (including) | 14.3-p3 (including) |
| Freebsd | Freebsd | 14.3-p4 (including) | 14.3-p4 (including) |
| Freebsd | Freebsd | 14.3-p5 (including) | 14.3-p5 (including) |
| Freebsd | Freebsd | 14.3-p6 (including) | 14.3-p6 (including) |