Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 5 Nov 2002 19:09:16 +0600 (NOVT)
From:      Alexey Dokuchaev <danfe@regency.nsu.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/44929: Uid/gid handling code in IPFW2 userland (/sbin/ipfw) is broken
Message-ID:  <200211051309.gA5D9Gq9004104@regency.nsu.ru>
next in thread | raw e-mail | index | archive | help 

>Number:         44929
>Category:       bin
>Synopsis:       Uid/gid handling code in IPFW2 userland (/sbin/ipfw) is broken
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 05 05:10:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Alexey Dokuchaev
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
CNIT
>Environment:
System: FreeBSD regency.nsu.ru 4.7-STABLE FreeBSD 4.7-STABLE #4: Tue Oct 29 20:17:48 NOVT 2002 root@regency.nsu.ru:/usr/src/sys/compile/REGENCY i386
>Description:
IPFW2 rule parser (both in -STABLE and -CURRENT) does not correctly handle uid/gid specifiers:

	ipfw add deny all from x.y.z.t to any uid jack
	ipfw add deny all from x.y.z.t to any uid mary

will yield:

?ab00          0          0 deny ip from x.y.z.t to any uid root
?ac00          0          0 deny ip from x.y.z.t to any uid root
See above.
>How-To-Repeat:
>Fix:
This fix also brings IPFW2 code in question in sync with old IPFW (which does behave correctly),
not to mention it corrects the described bug.  Though this diff is against -STABLE, I think it is
pretty clear how to apply it to -CURRENT.

--- ipfw2.c.orig	Tue Oct 29 10:19:15 2002
+++ ipfw2.c	Tue Oct 29 10:33:55 2002
@@ -2937,7 +2937,7 @@
 			pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av);
 			if (pwd == NULL)
 				errx(EX_DATAERR, "uid \"%s\" nonexistent", *av);
-			cmd32->d[0] = uid;
+			cmd32->d[0] = pwd->pw_uid;
 			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
 			ac--; av++;
 		    }
@@ -2956,7 +2956,7 @@
 			if (grp == NULL)
 				errx(EX_DATAERR, "gid \"%s\" nonexistent", *av);
 			
-			cmd32->d[0] = gid;
+			cmd32->d[0] = grp->gr_gid;
 			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
 			ac--; av++;
 		    }

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211051309.gA5D9Gq9004104>