Date: Mon, 27 May 1996 20:50:13 -0500 (CDT) From: Alex Nash <alex@zen.nash.org> To: FreeBSD-gnats-submit@freebsd.org Cc: phk@freebsd.org Subject: kern/1267: IPFW: prevent deletion of default policy Message-ID: <199605280150.UAA00816@zen.nash.org> Resent-Message-ID: <199605280200.TAA20338@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1267
>Category: kern
>Synopsis: Kernel allows deletion of default policy entry
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 27 19:00:04 PDT 1996
>Last-Modified:
>Originator: Alex Nash
>Organization:
>Release: FreeBSD 2.1-STABLE i386
>Environment:
2.1.0-STABLE/CURRENT running IPFW.
>Description:
The kernel allows the default policy (chain entry 65535) to be
deleted when it should not.
>How-To-Repeat:
# ipfw del 65535
# ipfw l
>Fix:
NOTE: These diffs are against those submitted in kern/1219.
The version numbers do not correspond to those in the FreeBSD
CVS tree.
The fix consists of a single line change to line 541. The other
diffs are part of a work in progress:
- Formatting fix (from my style->BSD)
- Undocumented feature: disallow IPFW manipulation when
securelevel > 2.
Index: ip_fw.c
===================================================================
RCS file: /home/alex/cvs/sys/netinet/ip_fw.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -c -r1.3 -r1.4
*** ip_fw.c 1996/05/19 18:31:09 1.3
--- ip_fw.c 1996/05/28 01:15:27 1.4
***************
*** 11,17 ****
*
* This software is provided ``AS IS'' without any warranties of any kind.
*
! * $Id: ip_fw.c,v 1.3 1996/05/19 18:31:09 alex Exp $
*/
/*
--- 11,17 ----
*
* This software is provided ``AS IS'' without any warranties of any kind.
*
! * $Id: ip_fw.c,v 1.4 1996/05/28 01:15:27 alex Exp $
*/
/*
***************
*** 538,544 ****
s = splnet();
fcp = chainptr->lh_first;
! if (fcp->rule->fw_number != (u_short)-1) {
for (; fcp; fcp = fcp->chain.le_next) {
if (fcp->rule->fw_number == frwl->fw_number) {
LIST_REMOVE(fcp, chain);
--- 538,544 ----
s = splnet();
fcp = chainptr->lh_first;
! if (frwl->fw_number != (u_short)-1) {
for (; fcp; fcp = fcp->chain.le_next) {
if (fcp->rule->fw_number == frwl->fw_number) {
LIST_REMOVE(fcp, chain);
***************
*** 578,585 ****
*/
s = splnet();
for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next)
! if (!frwl || frwl->fw_number == fcp->rule->fw_number)
! {
fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0;
fcp->rule->timestamp = 0;
}
--- 578,584 ----
*/
s = splnet();
for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next)
! if (!frwl || frwl->fw_number == fcp->rule->fw_number) {
fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0;
fcp->rule->timestamp = 0;
}
***************
*** 650,655 ****
--- 649,659 ----
return (0);
}
m = *mm;
+ /* only allow get calls if secure mode < 3 */
+ if (securelevel > 2) {
+ if (m) (void)m_free(m);
+ return(EPERM);
+ }
if (stage == IP_FW_FLUSH) {
while (ip_fw_chain.lh_first != NULL &&
ip_fw_chain.lh_first->rule->fw_number != (u_short)-1) {
***************
*** 672,678 ****
printf("ip_fw_ctl: NULL mbuf ptr\n");
return (EINVAL);
}
-
if (stage == IP_FW_ADD || stage == IP_FW_DEL) {
struct ip_fw *frwl = check_ipfw_struct(m);
--- 676,681 ----
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605280150.UAA00816>