Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Dec 1997 20:03:14 -0800
From:      Julian Elischer <julian@whistle.com>
To:        hackers@freebsd.org
Subject:   ipfw fix
Message-ID:  <3499F202.794BDF32@whistle.com>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
If you use ipfw and the "reset tcp" option,
you may want to apply the following patch.
In fact you may want to do it if you MIGHT in the future do that.

stops random kernel panics due to kernel stack overwrites.

this fix is valid for 2.2.5 and 3.0

It has just been checked in..

[-- Attachment #2 --]
*** netinet/ip_fw.c	1997/11/22 13:00:48	1.51.2.6
--- new/netinet/ip_fw.c	1997/12/19 02:54:54
***************
*** 576,598 ****
  		  {
  			struct tcphdr *const tcp =
  				(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
! 			struct tcpiphdr ti;
  
  			if (offset != 0 || (tcp->th_flags & TH_RST))
  				break;
  			ti.ti_i = *((struct ipovly *) ip);
  			ti.ti_t = *tcp;
! 			NTOHL(ti.ti_seq);
! 			NTOHL(ti.ti_ack);
! 			ti.ti_len = ip->ip_len - hlen - (ti.ti_off << 2);
  			if (tcp->th_flags & TH_ACK) {
! 				tcp_respond(NULL, &ti, *m,
  				    (tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
  			} else {
  				if (tcp->th_flags & TH_SYN)
! 					ti.ti_len++;
! 				tcp_respond(NULL, &ti, *m, ti.ti_seq
! 				    + ti.ti_len, (tcp_seq)0, TH_RST|TH_ACK);
  			}
  			*m = NULL;
  			break;
--- 576,599 ----
  		  {
  			struct tcphdr *const tcp =
  				(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
! 			struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
  
  			if (offset != 0 || (tcp->th_flags & TH_RST))
  				break;
  			ti.ti_i = *((struct ipovly *) ip);
  			ti.ti_t = *tcp;
! 			bcopy(&ti, ip, sizeof(ti));
! 			NTOHL(tip->ti_seq);
! 			NTOHL(tip->ti_ack);
! 			tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2);
  			if (tcp->th_flags & TH_ACK) {
! 				tcp_respond(NULL, tip, *m,
  				    (tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
  			} else {
  				if (tcp->th_flags & TH_SYN)
! 					tip->ti_len++;
! 				tcp_respond(NULL, tip, *m, tip->ti_seq
! 				    + tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK);
  			}
  			*m = NULL;
  			break;
*** netinet/tcp_subr.c	1997/09/30 16:25:11	1.31.2.3
--- new/netinet/tcp_subr.c	1997/12/19 03:01:16
***************
*** 168,173 ****
--- 168,175 ----
   *
   * In any case the ack and sequence number of the transmitted
   * segment are as specified by the parameters.
+  *
+  * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
   */
  void
  tcp_respond(tp, ti, m, ack, seq, flags)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3499F202.794BDF32>