Date: Fri, 21 Jun 2002 07:38:04 -0700 From: Luigi Rizzo <rizzo@icir.org> To: ipfw@freebsd.org Subject: a bug in divert handling of fragments Message-ID: <20020621073804.B79754@iguana.icir.org>
next in thread | raw e-mail | index | archive | help
Hi, there is a case with divert/tee of fragmented packets on
which I would like clarifications:
in ip_input.c::ip_reass(), a comment says:
#ifdef IPDIVERT
/*
* Transfer firewall instructions to the fragment structure.
* Any fragment diverting causes the whole packet to divert.
*/
fp->ipq_div_info = *divinfo;
fp->ipq_div_cookie = *divert_rule;
*divinfo = 0;
*divert_rule = 0;
#endif
However, the code as you see above does not check for existing
divert info, and just overrides whatever state was there with info
from the latest incoming fragment.
This is in disagreement with the comment, and almost certainly
not what one wants, so I believe this has to be fixed.
I see two possible alternatives:
#1: only trust divert info for the fragment with offset 0
(i.e. the one which should have headers etc.)
#2: keep as good the info from the first incoming fragment with
a non-zero *divinfo (i.e. one which matched a divert rule).
I would prefer #1 because it is less prone to attacks and easier to
implement, and also because there is a lot more information that
the firewall can use to select the packet.
Comments anyone ?
cheers
luigi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020621073804.B79754>