Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Mar 2016 17:50:01 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 208035] IPFW firewall heap overflow
Message-ID:  <bug-208035-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208035

            Bug ID: 208035
           Summary: IPFW firewall heap overflow
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: cturt@hardenedbsd.org

There is a heap overflow, triggerable as root only in the IPFW firewall
handling code.

sys/netpfil/ipfw/ip_fw_nat.c:

static int
ipfw_nat_cfg(struct sockopt *sopt)
{
        struct cfg_nat_legacy *cfg;
        struct nat44_cfg_nat *ucfg;
        struct cfg_redir_legacy *rdir;
        struct nat44_cfg_redir *urdir;
        char *buf;
        size_t len, len2;
        int error, i;

        len =3D sopt->sopt_valsize;
        len2 =3D len + 128;

        /*
         * Allocate 2x buffer to store converted structures.
         * new redir_cfg has shrinked, so we're sure that
         * new buffer size is enough.
         */
        buf =3D malloc(roundup2(len, 8) + len2, M_TEMP, M_WAITOK | M_ZERO);
        error =3D sooptcopyin(sopt, buf, len, sizeof(struct cfg_nat_legacy)=
);

The size calculation passed to `malloc` can be overflown, resulting in heap
overflow on `sooptcopyin`.

This function is called when the `IP_FW_NAT_CFG` command is passed to
`ipfw_ctl`:

int
ipfw_ctl(struct sockopt *sopt)
{
        ...

        /* Save original valsize before it is altered via sooptcopyin() */
        valsize =3D sopt->sopt_valsize;
        opt =3D sopt->sopt_name;

        ...

        switch (opt) {
                ...
case IP_FW_NAT_CFG:
                if (IPFW_NAT_LOADED)
                        error =3D ipfw_nat_cfg_ptr(sopt);
                else {
                        printf("IP_FW_NAT_CFG: %s\n",
                            "ipfw_nat not present, please load it");
                        error =3D EINVAL;
                }
                break;

`ipfw_ctl` is only called by `ipfw_ctl3`, which is available only to root
processes (must have `PRIV_NETINET_IPFW` privilege):

int
ipfw_ctl3(struct sockopt *sopt)
{
        ...

        error =3D priv_check(sopt->sopt_td, PRIV_NETINET_IPFW);
        if (error !=3D 0)
                return (error);

        if (sopt->sopt_name !=3D IP_FW3)
                return (ipfw_ctl(sopt));

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-208035-8>