From owner-freebsd-security Sat Jun 2 14:50: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id F15BB37B43C; Sat, 2 Jun 2001 14:49:56 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light/smtpfeed 1.12) with UUCP id f52Lnmg20768; Sun, 3 Jun 2001 06:49:48 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:pKiQCSA9KdnuoKw4Xz4Tj8HkHyab7kfLMign8OLggPk0GRMlZz/hC6guMjmXOOCk@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f52LnRc16537; Sun, 3 Jun 2001 06:49:27 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sun, 03 Jun 2001 06:49:24 +0900 (JST) Message-Id: <20010603.064924.55505694.ume@mahoroba.org> To: mdavis@cts.com Cc: freebsd-stable@freebsd.org, security@freebsd.org, wollman@freebsd.org, freebsd-print@bostonradio.org, drosih@rpi.edu Subject: Re: Malformed from address From: Hajimu UMEMOTO In-Reply-To: <000001c0eba9$4f34e1c0$271978d8@cts.com> References: <000001c0eb56$6d6ae250$241978d8@cts.com> <000001c0eba9$4f34e1c0$271978d8@cts.com> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Sat, 2 Jun 2001 14:16:36 -0700 >>>>> "Morgan Davis" said: mdavis> 3. Watching tcpdump, the ports from the client systems start above the mdavis> priviledged port range (IPPORT_RESERVED). With each failure, they will mdavis> reconnect and increment the originating port number. Here are the mdavis> starting ports numbers I saw in tcpdump for various Windows OS flavors: mdavis> 23xx - Windows XP Pro (build 2475) mdavis> 11xx - Windows 2000 Pro mdavis> 10xx - Windows 2000 Server mdavis> These are listed in order of machine uptime. I had just rebooted the mdavis> Win2K Server machine to do this test, so it must start at 1024 mdavis> (IPPORT_RESERVED). Then, Windows is broken. printer client must bind source port to within IPPORT_RESERVED. mdavis> In looking at the lpd.c code (and netinet/in.h), the logic in lpd.c's mdavis> test seems to be wrong (or is missing a !): mdavis> if (error || atoi(serv) >= IPPORT_RESERVED) mdavis> fatal(0, "Malformed from address"); mdavis> This would imply that any port at or above the IPPORT_RESERVED mdavis> threshhold is illegal, which (I think) is clearly wrong. Shouldn't it mdavis> be < IPPORT_RESERVED? Or better still: This checking code is currect. r-authentication requires that connection comes from reserved port range. Please see iruserok_sa(3) manpage. mdavis> if (error || atoi(serv) < IPPORT_RESERVED || atoi(serv) > mdavis> IPPORT_HILASTAUTO) mdavis> fatal(0, "Malformed from address or illegal port"); This code is wrong. Since Unix's lpr do bind to reserved port, you will not be able to print from Unix boxes. If you wish to allow such broken connection, you can simply remove reserved port checking. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message