From owner-freebsd-bugs Wed Jan 15 14:50: 6 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7309937B401 for ; Wed, 15 Jan 2003 14:50:03 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89CDE43F43 for ; Wed, 15 Jan 2003 14:50:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h0FMo2NS060761 for ; Wed, 15 Jan 2003 14:50:02 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h0FMo2Wf060760; Wed, 15 Jan 2003 14:50:02 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B2A937B401 for ; Wed, 15 Jan 2003 14:47:51 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F48943F43 for ; Wed, 15 Jan 2003 14:47:50 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 806A710BF87; Wed, 15 Jan 2003 23:47:47 +0100 (CET) Message-Id: <20030115224747.806A710BF87@arthur.nitro.dk> Date: Wed, 15 Jan 2003 23:47:47 +0100 (CET) From: "Simon L.Nielsen" Reply-To: "Simon L.Nielsen" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/47120: [patch] Sanity check in ipfw(8) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 47120 >Category: bin >Synopsis: [patch] Sanity check in ipfw(8) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jan 15 14:50:01 PST 2003 >Closed-Date: >Last-Modified: >Originator: Simon L. Nielsen >Release: FreeBSD 5.0-CURRENT >Organization: >Environment: FreeBSD ford.nitro.dk 5.0-CURRENT FreeBSD 5.0-CURRENT #2: Fri Dec 27 13:32:24 CET 2002 root@ford.nitro.dk:/usr/obj/usr/src/sys/GENERIC i386 >Description: The ipfw(8) userland program does not check if the user tries to make certain types of self contradictory rules. E.g. the following rule is allowed by ipfw2 : # sysctl kern.osrelease kern.osrelease: 5.0-CURRENT # ipfw add allow udp from any to any setup 01000 allow udp from any to any setup The kernel firewall code correctly requires TCP packets when matching the setup keyword so the rule can never match anything. The includes patch only allow the correct protocol (e.g. TCP for 'setup') but sometimes protocol 'any/ip' might make the rule "work". In my opinion this still does not really make mutch sense and should not be allowed. ipfw1 (/ipfw in FreeBSD 4) does not allow these types of rules : # sysctl kern.osrelease kern.osrelease: 4.7-RELEASE-p2 # ipfw add allow udp from any to any setup ipfw: unknown argument ``setup'' # ipfw add allow ip from any to any setup ipfw: unknown argument ``setup'' >How-To-Repeat: >Fix: This patch makes the ipfw userland program do a bit more sanity-check on the input rules for protocol specific options. --- ipfw2-inputcheck.patch begins here --- Index: ipfw2.c =================================================================== RCS file: /home/mirror/freebsd/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.21 diff -u -d -r1.21 ipfw2.c --- ipfw2.c 12 Jan 2003 03:31:10 -0000 1.21 +++ ipfw2.c 15 Jan 2003 21:08:20 -0000 @@ -2908,6 +2909,8 @@ break; case TOK_ICMPTYPES: + if(proto != IPPROTO_ICMP) + errx(EX_USAGE, "icmptypes only valid for icmp"); NEED1("icmptypes requires list of types"); fill_icmptypes((ipfw_insn_u32 *)cmd, *av); av++; ac--; @@ -2993,15 +2996,21 @@ break; case TOK_ESTAB: + if(proto != IPPROTO_TCP) + errx(EX_USAGE, "established only valid for tcp"); fill_cmd(cmd, O_ESTAB, 0, 0); break; case TOK_SETUP: + if(proto != IPPROTO_TCP) + errx(EX_USAGE, "setup only valid for tcp"); fill_cmd(cmd, O_TCPFLAGS, 0, (TH_SYN) | ( (TH_ACK) & 0xff) <<8 ); break; case TOK_TCPOPTS: + if(proto != IPPROTO_TCP) + errx(EX_USAGE, "tcpoptions only valid for tcp"); NEED1("missing argument for tcpoptions"); fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av); ac--; av++; @@ -3009,6 +3018,8 @@ case TOK_TCPSEQ: case TOK_TCPACK: + if(proto != IPPROTO_TCP) + errx(EX_USAGE, "tcpseq/tcpack only valid for tcp"); NEED1("tcpseq/tcpack requires argument"); cmd->len = F_INSN_SIZE(ipfw_insn_u32); cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK; @@ -3017,6 +3028,8 @@ break; case TOK_TCPWIN: + if(proto != IPPROTO_TCP) + errx(EX_USAGE, "tcpwin only valid for tcp"); NEED1("tcpwin requires length"); fill_cmd(cmd, O_TCPWIN, 0, htons(strtoul(*av, NULL, 0))); @@ -3024,6 +3037,8 @@ break; case TOK_TCPFLAGS: + if(proto != IPPROTO_TCP) + errx(EX_USAGE, "tcpflags only valid for tcp"); NEED1("missing argument for tcpflags"); cmd->opcode = O_TCPFLAGS; fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av); --- ipfw2-inputcheck.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message