pfSense: pfSense-SA-16_04.filterlog: Denial of Service in filterlog due to malformed SCPS options in a packet.

A deliberately malformed TCP SYN packet with option 20 (0x14) can cause the
filterlog daemon to crash with a segmentation fault, which causes all logging of
packets from firewall rules to cease.

Option 20 is SCPS-TP, which is a space communications version of TCP and not an
option typically found on the Internet in general. The SCPS Capabilities Option
should be sent in a TCP SYN packet and contain four fields of one byte each and
begin with 0x14 0x04 (Kind=20, Length=4).

A malformed packet that causes a segmentation fault in filterlog omits the two
mandatory fields "Capabilities Option Bit-Vector" and "Connection ID" and have
changes the option length to 0x02, which breaks the SCPS-TP standard but follows
the TCP Options standard in general. The packet passes TCP option parsers that
don't specifically care about SCPS-TP.

The packet processing code in filterlog, which comes directly from tcpdump,
incorrectly defines TCPOPT_AUTH to the wrong option. The switch case for
TCPOPT_AUTH in filterlog incorrectly subtracts from the option length, resulting
in a segmentation fault when next option is read.

A packet with the SCPS Capabilities option adhering to the standard should be 4
bytes long and will not trigger this bug. A shortened SPCS option must be
crafted deliberately.

An affected version of filterlog which receives this malformed packet will crash,
which stops further logging, potentially denying access to information about a
later attack.