From owner-freebsd-bugs Mon May 27 19:01:27 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA20440 for bugs-outgoing; Mon, 27 May 1996 19:01:27 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA20338; Mon, 27 May 1996 19:00:05 -0700 (PDT) Resent-Date: Mon, 27 May 1996 19:00:05 -0700 (PDT) Resent-Message-Id: <199605280200.TAA20338@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, nash@mcs.com Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA19808; Mon, 27 May 1996 18:50:42 -0700 (PDT) Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id UAA00816; Mon, 27 May 1996 20:50:13 -0500 (CDT) Message-Id: <199605280150.UAA00816@zen.nash.org> Date: Mon, 27 May 1996 20:50:13 -0500 (CDT) From: Alex Nash Reply-To: nash@mcs.com To: FreeBSD-gnats-submit@freebsd.org Cc: phk@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/1267: IPFW: prevent deletion of default policy Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1267 >Category: kern >Synopsis: Kernel allows deletion of default policy entry >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon May 27 19:00:04 PDT 1996 >Last-Modified: >Originator: Alex Nash >Organization: >Release: FreeBSD 2.1-STABLE i386 >Environment: 2.1.0-STABLE/CURRENT running IPFW. >Description: The kernel allows the default policy (chain entry 65535) to be deleted when it should not. >How-To-Repeat: # ipfw del 65535 # ipfw l >Fix: NOTE: These diffs are against those submitted in kern/1219. The version numbers do not correspond to those in the FreeBSD CVS tree. The fix consists of a single line change to line 541. The other diffs are part of a work in progress: - Formatting fix (from my style->BSD) - Undocumented feature: disallow IPFW manipulation when securelevel > 2. Index: ip_fw.c =================================================================== RCS file: /home/alex/cvs/sys/netinet/ip_fw.c,v retrieving revision 1.3 retrieving revision 1.4 diff -c -r1.3 -r1.4 *** ip_fw.c 1996/05/19 18:31:09 1.3 --- ip_fw.c 1996/05/28 01:15:27 1.4 *************** *** 11,17 **** * * This software is provided ``AS IS'' without any warranties of any kind. * ! * $Id: ip_fw.c,v 1.3 1996/05/19 18:31:09 alex Exp $ */ /* --- 11,17 ---- * * This software is provided ``AS IS'' without any warranties of any kind. * ! * $Id: ip_fw.c,v 1.4 1996/05/28 01:15:27 alex Exp $ */ /* *************** *** 538,544 **** s = splnet(); fcp = chainptr->lh_first; ! if (fcp->rule->fw_number != (u_short)-1) { for (; fcp; fcp = fcp->chain.le_next) { if (fcp->rule->fw_number == frwl->fw_number) { LIST_REMOVE(fcp, chain); --- 538,544 ---- s = splnet(); fcp = chainptr->lh_first; ! if (frwl->fw_number != (u_short)-1) { for (; fcp; fcp = fcp->chain.le_next) { if (fcp->rule->fw_number == frwl->fw_number) { LIST_REMOVE(fcp, chain); *************** *** 578,585 **** */ s = splnet(); for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next) ! if (!frwl || frwl->fw_number == fcp->rule->fw_number) ! { fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0; fcp->rule->timestamp = 0; } --- 578,584 ---- */ s = splnet(); for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next) ! if (!frwl || frwl->fw_number == fcp->rule->fw_number) { fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0; fcp->rule->timestamp = 0; } *************** *** 650,655 **** --- 649,659 ---- return (0); } m = *mm; + /* only allow get calls if secure mode < 3 */ + if (securelevel > 2) { + if (m) (void)m_free(m); + return(EPERM); + } if (stage == IP_FW_FLUSH) { while (ip_fw_chain.lh_first != NULL && ip_fw_chain.lh_first->rule->fw_number != (u_short)-1) { *************** *** 672,678 **** printf("ip_fw_ctl: NULL mbuf ptr\n"); return (EINVAL); } - if (stage == IP_FW_ADD || stage == IP_FW_DEL) { struct ip_fw *frwl = check_ipfw_struct(m); --- 676,681 ---- >Audit-Trail: >Unformatted: