From owner-freebsd-current@FreeBSD.ORG Thu Aug 28 08:18:28 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC41616A4BF; Thu, 28 Aug 2003 08:18:28 -0700 (PDT) Received: from fw.kraglund.net (0x50c40527.boanxx10.adsl-dhcp.tele.dk [80.196.5.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id A03A743FE3; Thu, 28 Aug 2003 08:18:26 -0700 (PDT) (envelope-from fk@kraglund.net) Received: from kraglund.net (accolon [192.168.42.2]) by fw.kraglund.net (8.11.6/8.11.6) with ESMTP id h7SFIND21208; Thu, 28 Aug 2003 17:18:24 +0200 (CEST) (envelope-from fk@kraglund.net) Message-ID: <3F4E1D3F.219BBC7A@kraglund.net> Date: Thu, 28 Aug 2003 17:18:23 +0200 From: Flemming Kraglund X-Mailer: Mozilla 4.8 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-stable@freebsd.org, freebsd-current@freebsd.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: natd fw punch rule leak found (and fix) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 15:18:29 -0000 On a busy ftp site it was noticed that natd stopped punching ftp data session after some time, it was leaking the fw rule numbers allocated for punching. This happens if the ftp clients or ftp servers TCP layer was retransmitting the PORT/EPRT or the passive replies or as a DoS from a malicious client, then natd will allocated a new fw rule number for the punch overwriting the old allocated number, this happens even if the punch would not occur due to one of the port numbers being zero. The fix is simple, in libalias/alias_db.c in PunchFWHole add the following after the initial packetAliasMode test: /* FK, fix fw rule slots leak */ /* PROBLEM: we get double allocation for a link if there is a retransmission of a packet with session information (ftp PORT command etc) or a DoS client that keeps sending such commands, this double allocation will overwrite the previous allocated rule slot number. FIX: If one of the ports for the FW rule is zero then no rule is punched so don't do the punch stuff. */ if (GetOriginalPort(link) == 0 || GetDestPort(link) == 0) return; ClearFWHole(link); /* FK, fix fw rule slots leak ends */ /FK