Date: Thu, 3 Oct 2002 22:04:41 +0300 (EEST) From: Andrey Simonenko <simon@simon.org.ua> To: Luigi Rizzo <rizzo@icir.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Q about sbin/ipfw2.c:list() Message-ID: <20021003215546.M7110-100000@lion.com.ua> In-Reply-To: <20021002062546.C22163@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2 Oct 2002, Luigi Rizzo wrote:
> On Wed, Oct 02, 2002 at 02:15:42PM +0300, Andrey Simonenko wrote:
> > Hello,
> >
> > Why is it needed to check both r->rulenum and (void *)r < lim in
> > sbin/ipfw2.c:list() ?
>
> because the buffer has a limited size (nbytes) and you don't want
> to read past it. However there is a bug in the code below,
> because you should swap the checks (void *)r < lim && r->rulenum < 65535
>
> Whether ipfw1.c has the same bug or not i don't remember, but that
> is irrelevant anyways.
ipfw1.c:list() doesn't check address boundary, it checks only a rule
65535.
Why is it possible that getsockopt(IP_FW_GET) can return not all IPFW2
rules? According to ipfw(8) manual page there is always a rule 65535, so
this rule should be always present after getsockopt(IP_FW_GET) call (of
course there should be enought memory in a buffer, but it is checked in
the code of list() function):
/* get rules or pipes from kernel, resizing array as necessary */
nbytes = nalloc;
while (nbytes >= nalloc) {
nalloc = nalloc * 2 + 200;
nbytes = nalloc;
if ((data = realloc(data, nbytes)) == NULL)
err(EX_OSERR, "realloc");
if (getsockopt(s, IPPROTO_IP, ocmd, data, &nbytes) < 0)
err(EX_OSERR, "getsockopt(IP_%s_GET)",
do_pipe ? "DUMMYNET" : "FW");
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021003215546.M7110-100000>