pfSense: pfSense-SA-16_04.filterlog: Denial of Service in filterlog due to malformed SCPS options in a packet.

Description

A deliberately malformed TCP SYN packet with option 20 (0x14) can cause the filterlog daemon to crash with a segmentation fault, which causes all logging of packets from firewall rules to cease. Option 20 is SCPS-TP, which is a space communications version of TCP and not an option typically found on the Internet in general. The SCPS Capabilities Option should be sent in a TCP SYN packet and contain four fields of one byte each and begin with 0x14 0x04 (Kind=20, Length=4). A malformed packet that causes a segmentation fault in filterlog omits the two mandatory fields "Capabilities Option Bit-Vector" and "Connection ID" and have changes the option length to 0x02, which breaks the SCPS-TP standard but follows the TCP Options standard in general. The packet passes TCP option parsers that don't specifically care about SCPS-TP. The packet processing code in filterlog, which comes directly from tcpdump, incorrectly defines TCPOPT_AUTH to the wrong option. The switch case for TCPOPT_AUTH in filterlog incorrectly subtracts from the option length, resulting in a segmentation fault when next option is read. A packet with the SCPS Capabilities option adhering to the standard should be 4 bytes long and will not trigger this bug. A shortened SPCS option must be crafted deliberately. An affected version of filterlog which receives this malformed packet will crash, which stops further logging, potentially denying access to information about a later attack.