From owner-freebsd-security  Sat Jun  2 14:16:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from neko.cts.com (neko.cts.com [209.68.192.150])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7E08737B424; Sat,  2 Jun 2001 14:16:12 -0700 (PDT)
	(envelope-from mdavis@cts.com)
Received: from venus.cts.com (venus.cts.com [216.120.25.34])
	by neko.cts.com (8.9.3/8.9.3) with ESMTP id OAA12556;
	Sat, 2 Jun 2001 14:16:12 -0700 (PDT)
Received: from orion (orion.cts.com [216.120.25.39])
	by venus.cts.com (8.11.3/8.11.3) with ESMTP id f52LGAp10661;
	Sat, 2 Jun 2001 14:16:10 -0700 (PDT)
	(envelope-from mdavis@cts.com)
From: "Morgan Davis" <mdavis@cts.com>
To: <freebsd-stable@freebsd.org>
Cc: <security@freebsd.org>, <wollman@freebsd.org>,
	"'Hajimu UMEMOTO'" <ume@mahoroba.org>,
	<freebsd-print@bostonradio.org>,
	"'Garance A Drosihn'" <drosih@rpi.edu>
Subject: RE: Malformed from address
Date: Sat, 2 Jun 2001 14:16:36 -0700
Message-ID: <000001c0eba9$4f34e1c0$271978d8@cts.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2511
In-Reply-To: <000001c0eb56$6d6ae250$241978d8@cts.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2475.0000
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hajimu and Garance, et al:

Thank you for checking into my lpd problem in 4.3-STABLE (as of May 29).
You asked excellent questions, and here are my findings:

1.  The trouble occurs when connecting to both systems via telnet (which
having a reserved port number would make sense).  Yet, when I connect
via telnet to a FreeBSD 3.5 or 4.2 system, I get connected to the lpd
port (515) with no error.  This confirms your discovery that the check
is new in 4.3.

2.  However, under 4.3, connections from all Windows clients I have
access to (three) now fail to print.  They're all using IPv4 (in fact,
IPv6 is completely disabled in the FreeBSD machines).  The jobs get
stuck in the Windows spooler.

3.  Watching tcpdump, the ports from the client systems start above the
priviledged port range (IPPORT_RESERVED).   With each failure, they will
reconnect and increment the originating port number.  Here are the
starting ports numbers I saw in tcpdump for various Windows OS flavors: 

	23xx - Windows XP Pro (build 2475)
	11xx - Windows 2000 Pro
	10xx - Windows 2000 Server

These are listed in order of machine uptime.  I had just rebooted the
Win2K Server machine to do this test, so it must start at 1024
(IPPORT_RESERVED).

4.  The printer configurations on the Windows machines are using a
"Custom TCP/IP Printer Port" configuration (which just means they speak
lpr to a port 515 device).  Nothing unique or out of the ordinary in any
of their network configurations.  They're not going through NAT or
anything that might molest the ports.


In looking at the lpd.c code (and netinet/in.h), the logic in lpd.c's
test seems to be wrong (or is missing a !):

if (error || atoi(serv) >= IPPORT_RESERVED)
	fatal(0, "Malformed from address");

This would imply that any port at or above the IPPORT_RESERVED
threshhold is illegal, which (I think) is clearly wrong.  Shouldn't it
be < IPPORT_RESERVED?  Or better still: 

if (error || atoi(serv) < IPPORT_RESERVED || atoi(serv) >
IPPORT_HILASTAUTO)
	fatal(0, "Malformed from address or illegal port");

This protects the priviledged port range, but also gives clients enough
free range as was mentioned in a later message by Brandon Allbery as a
concern in the LPRng FAQ/HOWTO.  Perhaps this is faulty thinking
(forgive me, I'm not a FreeBSD hacker by trade), but after patching
lpd.c, it works and I'm printing again.  :-)

--Morgan


> -----Original Message-----
> From: owner-freebsd-stable@FreeBSD.ORG 
> [mailto:owner-freebsd-stable@FreeBSD.ORG] On Behalf Of Morgan Davis
> Sent: Saturday, June 02, 2001 4:23 AM
> To: freebsd-stable@FreeBSD.ORG
> Subject: lpd: Malformed from address
> 
> 
> After upgrading two different FreeBSD 4.2 systems to 4.3, they both
> began to exhibit trouble when trying to print to their lpd processes.
> Watching the raw traffic via tcpdump, both are failing 
> immediately when
> lpd tries to resolve the connecting client's address in chkhost():
> 
>         error = getnameinfo(f, f->sa_len, NULL, 0, serv, sizeof(serv),
>                             NI_NUMERICSERV);
>         if (error || atoi(serv) >= IPPORT_RESERVED)
>                 fatal(0, "Malformed from address");
> 
> It can be exercised via telnet:
> 
> # telnet golf printer
> Trying 205.163.23.102...
> Connected to golf.cts.com.
> Escape character is '^]'.
> lpd: Malformed from address
> Connection closed by foreign host.
> 
> This happens on both systems, different kernels, one running named and
> one not.  What in the world could be causing this?
> 
> --Morgan
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message