From owner-freebsd-security  Thu Nov  5 07:42:18 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA25528
          for freebsd-security-outgoing; Thu, 5 Nov 1998 07:42:18 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA25521
          for <freebsd-security@FreeBSD.ORG>; Thu, 5 Nov 1998 07:42:16 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA05283
	for <freebsd-security@FreeBSD.ORG>; Thu, 5 Nov 1998 10:42:10 -0500 (EST)
Date: Thu, 5 Nov 1998 10:42:10 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: freebsd-security@FreeBSD.ORG
Subject: Re: Amazing wonder packet Part 2.
In-Reply-To: <Pine.BSF.3.96.981105082421.4653A-100000@fledge.watson.org>
Message-ID: <Pine.BSF.3.96.981105103648.5251A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


So in case anyone missed it in the verbosity of my previous email, I
described a race condition involving rc.pccard and dhcp where network
programs are executed prior to the installation of firewall rules
(possibly leading to applications being exposed to the network where the
ipfw rules in rc.firewall should not allow it).

I also described a situation where, if your pccard script executed ipfw
commands (seems reasonable for a card insert or remove), then you could
get unexpected results due to interlacing of rc.firewall and pccard.conf
ipfw commands.  The program execution problem appears to exist only when
the default policy is 'accept'.  The pccard.conf ipfw problem exists even
when the default policy is 'deny', I believe.

I also raised the question: are packets ever queued after acceptance by
ipfw such that they could be received later if the port is not yet bound?
For example, suppose ipfw in a nascent or under-developed state accepts a
packet, and then later named is started -- is it possible through any race
conditions that the packet accepted earlier will make it to named later?

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message