From owner-freebsd-bugs@FreeBSD.ORG  Sun Jan 20 03:10:01 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BF2C816A420
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 20 Jan 2008 03:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 53CD013C457
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 20 Jan 2008 03:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0K3A1Oq084349
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 20 Jan 2008 03:10:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0K3A1uN084348;
	Sun, 20 Jan 2008 03:10:01 GMT (envelope-from gnats)
Resent-Date: Sun, 20 Jan 2008 03:10:01 GMT
Resent-Message-Id: <200801200310.m0K3A1uN084348@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dierk Sacher <usenet01@blaxxtarz.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D214316A418
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Jan 2008 03:02:46 +0000 (UTC)
	(envelope-from dierk@blaxxtarz.de)
Received: from smtprelay12.ispgateway.de (smtprelay12.ispgateway.de
	[80.67.29.29]) by mx1.freebsd.org (Postfix) with ESMTP id 7561B13C447
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Jan 2008 03:02:46 +0000 (UTC)
	(envelope-from dierk@blaxxtarz.de)
Received: from [88.74.88.70] (helo=maxx.evangelion.free)
	by smtprelay12.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.68) (envelope-from <dierk@blaxxtarz.de>) id 1JGOlL-0005WS-9F
	for FreeBSD-gnats-submit@freebsd.org; Sun, 20 Jan 2008 02:14:15 +0100
Received: from [192.168.123.1] (helo=blaxxtarz.evangelion.free)
	by maxx.evangelion.free with esmtps (Exim 4.69 #0 (Unix))
	id 1JGOkw-000Mcc-Sk
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 20 Jan 2008 02:13:50 +0100
Received: from blaxxtarz.evangelion.free (localhost [127.0.0.1])
	by blaxxtarz.evangelion.free (8.13.8/8.13.8) with ESMTP id
	m0K1Domi096625 for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 20 Jan 2008 02:13:50 +0100 (CET)
	(envelope-from dierk@blaxxtarz.evangelion.free)
Received: (from dierk@localhost)
	by blaxxtarz.evangelion.free (8.13.8/8.13.8/Submit) id m0K1DngK096624; 
	Sun, 20 Jan 2008 02:13:49 +0100 (CET) (envelope-from dierk)
Message-Id: <200801200113.m0K1DngK096624@blaxxtarz.evangelion.free>
Date: Sun, 20 Jan 2008 02:13:49 +0100 (CET)
From: Dierk Sacher <usenet01@blaxxtarz.de>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/119815: ipfw - incorrect handling of missing arguments -
	segfault
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Dierk Sacher <usenet01@blaxxtarz.de>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jan 2008 03:10:01 -0000


>Number:         119815
>Category:       bin
>Synopsis:       ipfw - incorrect handling of missing arguments - segfault
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 20 03:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Dierk Sacher
>Release:        FreeBSD 7.0-RC1 i386
>Organization:
DSITC
>Environment:
System: FreeBSD voxx.evangelion.free 7.0-RC1 FreeBSD 7.0-RC1 #3: Sun Jan 20 00:44:35 CET 2008     root@voxx.evangelion.free:/usr/obj/usr/src/sys/VOXX  i386


>Description:
ipfw does improper input validation on the interface argument to the nat config if parameter.
	If you leave it out, ipfw will segfault because no check for ac == 0 is done in the TOK_IF: case (as is done for the ip).

	
>How-To-Repeat:
issue the following commands on a machine with the new IPFIREWALL_NAT Feature turned on:

	1. Configure a nat rule (e.g.: ipfw add 100 nat 1 ip from any to any via rl0)
	2. Issue the _wrong_ command (intentionally leaving out the interface argument): ipfw nat 1 config if 

	ipfw will segfault and dump core.



	
>Fix:
see patch against ipfw2.c

--- ipfw2.c.orig        2008-01-20 01:57:47.000000000 +0100
+++ ipfw2.c     2008-01-20 01:57:53.000000000 +0100
@@ -3994,6 +3994,8 @@
                        ac--; av++;
                        break;      
                case TOK_IF:
+                       if (ac == 0) 
+                               errx(EX_DATAERR, "missing option");
                        set_addr_dynamic(av[0], n);
                        ac--; av++;
                        break;


	


>Release-Note:
>Audit-Trail:
>Unformatted: