Date: Thu, 18 Dec 1997 20:03:14 -0800 From: Julian Elischer <julian@whistle.com> To: hackers@freebsd.org Subject: ipfw fix Message-ID: <3499F202.794BDF32@whistle.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------1CFBAE3959E2B60015FB7483
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
If you use ipfw and the "reset tcp" option,
you may want to apply the following patch.
In fact you may want to do it if you MIGHT in the future do that.
stops random kernel panics due to kernel stack overwrites.
this fix is valid for 2.2.5 and 3.0
It has just been checked in..
--------------1CFBAE3959E2B60015FB7483
Content-Type: text/plain; charset=us-ascii; name="knarlybugfix.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="knarlybugfix.patch"
*** netinet/ip_fw.c 1997/11/22 13:00:48 1.51.2.6
--- new/netinet/ip_fw.c 1997/12/19 02:54:54
***************
*** 576,598 ****
{
struct tcphdr *const tcp =
(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
! struct tcpiphdr ti;
if (offset != 0 || (tcp->th_flags & TH_RST))
break;
ti.ti_i = *((struct ipovly *) ip);
ti.ti_t = *tcp;
! NTOHL(ti.ti_seq);
! NTOHL(ti.ti_ack);
! ti.ti_len = ip->ip_len - hlen - (ti.ti_off << 2);
if (tcp->th_flags & TH_ACK) {
! tcp_respond(NULL, &ti, *m,
(tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
} else {
if (tcp->th_flags & TH_SYN)
! ti.ti_len++;
! tcp_respond(NULL, &ti, *m, ti.ti_seq
! + ti.ti_len, (tcp_seq)0, TH_RST|TH_ACK);
}
*m = NULL;
break;
--- 576,599 ----
{
struct tcphdr *const tcp =
(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
! struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
if (offset != 0 || (tcp->th_flags & TH_RST))
break;
ti.ti_i = *((struct ipovly *) ip);
ti.ti_t = *tcp;
! bcopy(&ti, ip, sizeof(ti));
! NTOHL(tip->ti_seq);
! NTOHL(tip->ti_ack);
! tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2);
if (tcp->th_flags & TH_ACK) {
! tcp_respond(NULL, tip, *m,
(tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
} else {
if (tcp->th_flags & TH_SYN)
! tip->ti_len++;
! tcp_respond(NULL, tip, *m, tip->ti_seq
! + tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK);
}
*m = NULL;
break;
*** netinet/tcp_subr.c 1997/09/30 16:25:11 1.31.2.3
--- new/netinet/tcp_subr.c 1997/12/19 03:01:16
***************
*** 168,173 ****
--- 168,175 ----
*
* In any case the ack and sequence number of the transmitted
* segment are as specified by the parameters.
+ *
+ * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
*/
void
tcp_respond(tp, ti, m, ack, seq, flags)
--------------1CFBAE3959E2B60015FB7483--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3499F202.794BDF32>