Date: Thu, 28 Aug 2003 17:18:23 +0200 From: Flemming Kraglund <fk@kraglund.net> To: freebsd-stable@freebsd.org, freebsd-current@freebsd.org Subject: natd fw punch rule leak found (and fix) Message-ID: <3F4E1D3F.219BBC7A@kraglund.net>
next in thread | raw e-mail | index | archive | help
On a busy ftp site it was noticed that natd stopped punching ftp data session after some time, it was leaking the fw rule numbers allocated for punching. This happens if the ftp clients or ftp servers TCP layer was retransmitting the PORT/EPRT or the passive replies or as a DoS from a malicious client, then natd will allocated a new fw rule number for the punch overwriting the old allocated number, this happens even if the punch would not occur due to one of the port numbers being zero. The fix is simple, in libalias/alias_db.c in PunchFWHole add the following after the initial packetAliasMode test: /* FK, fix fw rule slots leak */ /* PROBLEM: we get double allocation for a link if there is a retransmission of a packet with session information (ftp PORT command etc) or a DoS client that keeps sending such commands, this double allocation will overwrite the previous allocated rule slot number. FIX: If one of the ports for the FW rule is zero then no rule is punched so don't do the punch stuff. */ if (GetOriginalPort(link) == 0 || GetDestPort(link) == 0) return; ClearFWHole(link); /* FK, fix fw rule slots leak ends */ /FK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F4E1D3F.219BBC7A>