Prevent integer overflow in PF when calculating the adaptive timeout.
Mainly states of established TCP connections whould be affected
resulting in immediate state removal once the numer of states is
bigger than adaptive.start.
Disabling adative timeouts with
set timeout { adaptive.start 0, adaptive.end 0 }
is a workaround to avoid this bug.
Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)
The problem has been fixed in -current. For 5.9 and 6.0 the following
errata patches are available.
https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/019_pf.patch.sig
https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/036_pf.patch.sig
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)