Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Mar 1998 12:58:05 -0500 (EST)
From:      Jt <hometeam@techpower.net>
To:        security-officer@FreeBSD.ORG
Cc:        freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org
Subject:   Re: FreeBSD Security Advisory: FreeBSD-SA-98:02.mmap
Message-ID:  <Pine.BSF.3.96.980326125433.424B-200000@techpower.net>
In-Reply-To: <199803121947.UAA17528@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]

Why was the patch Alex Nash added to ip_fw.c not added to the new
release ? This is a needed option in ipfw .


hometeam@techpower.net
--We cannot all be masters, nor all masters 
   Cannot be truly follow'd--  

-----BEGIN PGP MESSAGE-----                                                     
Version: 2.6.2                                                                  
                                                                                
owEBqwBU/4kAlQMFADRCxNWhsddKSTR+6QEBelED/jzeC3btZfqSdIfrNoCgwUJJ                
iNQ33UQoMyJ2ygkfl72xP5J79yml/F4P73GnNaDVbaMOmOG2NNAi5ElE73wRh54U                
17kH+n5XnYeqekV8T2TG2Q6ex3UotXPyZ1vvrCrSxapOz6a4hh0GQeA55rcwLy2W                
ROHwxfvaVsrX5iVOkRoerBFiC21lc3NhZ2UudHh0AAAAAA==                                
=jCvF                                                                           
-----END PGP MESSAGE-----

[-- Attachment #2 --]
--- /sys/netinet/ip_fw.c	Fri Feb 27 16:17:43 1998
+++ ip_fw.c	Tue Mar 17 11:33:04 1998
@@ -163,6 +163,23 @@
 }
 
 static int
+is_icmp_query(struct ip *ip)
+{
+	const struct icmp *icmp;
+	int icmp_type;
+
+	icmp = (struct icmp *)((u_long *)ip + ip->ip_hl);
+	icmp_type = icmp->icmp_type;
+
+	if (icmp_type == ICMP_ECHO || icmp_type == ICMP_ROUTERSOLICIT ||
+	    icmp_type == ICMP_TSTAMP || icmp_type == ICMP_IREQ ||
+	    icmp_type == ICMP_MASKREQ)
+		return(1);
+
+	return(0);
+}
+
+static int
 ipopts_match(struct ip *ip, struct ip_fw *f)
 {
 	register u_char *cp;
@@ -592,11 +609,11 @@
 	 * Send a reject notice if all of the following are true:
 	 *
 	 * - The packet matched a reject rule
-	 * - The packet is not an ICMP packet
+	 * - The packet is not an ICMP packet, or is an ICMP query packet
 	 * - The packet is not a multicast or broadcast packet
 	 */
 	if ((rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
-	    && ip->ip_p != IPPROTO_ICMP
+	    && (ip->ip_p != IPPROTO_ICMP || is_icmp_query(ip))
 	    && !((*m)->m_flags & (M_BCAST|M_MCAST))
 	    && !IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
 		switch (rule->fw_reject_code) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980326125433.424B-200000>