Bug ID 424383: drop command allows packet through before tearing down the flow

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.3.0

Fixed In:
11.3.0 HF8

Opened: Jul 02, 2013
Severity: 2-Critical
Related AskF5 Article:
K14590

Symptoms

Packets from an iRule that uses the [drop] command pass through to the other side of the connection.

Impact

For stateless/message-based protocols (UDP, SIP), or given a mid-connection call to drop (HTTP_REQUEST, for example), this passes data before tearing down the protocol control block. Depending on the application, this can be dangerous. In the case of a stateful protocol (TCP, SCTP) using the drop command in CLIENT_ACCEPTED, the next segment will result in a RST packet or ABORT chunk, so there is less impact.

Conditions

An iRule calls drop.

Workaround

None.

Fix Information

Add a temporary flag to note that the connection has been asynchronously aborted, and avoid delivering the packet when this is set.

Behavior Change