Date: Fri, 05 Aug 2005 15:06:19 +0400 From: Boris Polevoy <vapcom@mail.ru> To: pf@benzedrine.cx Cc: freebsd-pf@freebsd.org Subject: PF ioctl(DIOCADDADDR) possible bug Message-ID: <E1E101r-000NGc-00.vapcom-mail-ru@f37.mail.ru>
next in thread | raw e-mail | index | archive | help
Hello, All! I found some possible problem in funcion pf_ioctl.c/pfioctl() in FreeBSD 5.4-RELEASE PF. To add PF rdr (nat) rule in active ruleset we have to do several steps: 1) get pool ticket with ioctl(DIOCBEGINADDRS); 2) create addresses pool with several ioctl(DIOCADDADDR); 3) get ticket for add rule with ioctl(DIOCCHANGERULE); 4) add rule with ioctl(DIOCCHANGERULE). In step 2 ioctl(DIOCADDADDR) do not check pool ticket value, and there is possible situation of malicious or failure address pool addition whithout geting pool ticket from another process. Is it bug or not? With best regards Boris Polevoy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1E101r-000NGc-00.vapcom-mail-ru>