From owner-freebsd-ipfw@FreeBSD.ORG Fri May 16 07:01:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AF4A37B48D for ; Fri, 16 May 2003 07:01:08 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id A9FEF43F3F for ; Fri, 16 May 2003 07:01:06 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 13161 invoked from network); 16 May 2003 13:54:56 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 16 May 2003 13:54:55 -0000 Received: (qmail 15275 invoked by uid 1000); 16 May 2003 13:58:23 -0000 Date: Fri, 16 May 2003 16:58:23 +0300 From: Peter Pentchev To: ipfw@FreeBSD.org Message-ID: <20030516135823.GB13482@straylight.oblivion.bg> References: <20030516135052.GA13482@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline In-Reply-To: <20030516135052.GA13482@straylight.oblivion.bg> User-Agent: Mutt/1.5.4i Subject: Re: ipfw2 buffer overruns X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2003 14:01:09 -0000 On Fri, May 16, 2003 at 04:50:52PM +0300, Peter Pentchev wrote: > Hi, > > A friend of mine, Kiril Todorov (CC'd), recently came across some quite > strange ipfw2 behavior on -STABLE: when given a specific rule to add, > ipfw would hang. A bit of digging into src/sbin/ipfw/ipfw2.c revealed a > couple of internal buffers - actbuf[], cmdbuf[], rulebuf[] - with a set > length of 255, and a couple of pointers traversing those buffers which > were never actually checked for running over the end. Thus, it was > trivial to construct a long enough 'ipfw add' command that would > eventually overrun the buffer, with much confusion ensuing. > > Attached is a sample rule that causes this, and a patch which performs a > couple of length checks and refuses to add the rule if a buffer overrun > is detected. This is not the most elegant solution, and in a couple of > the checks the damage is already done, but still... > > The patch is against -STABLE; it applies to -CURRENT with just a couple > of offset lines, and the resulting source compiles; I do not currently > have a functional -CURRENT machine to test it on, though. It works on > -STABLE, correctly diagnosing the oversized rule, and some other tests I > threw at it in a hurry. Still, this is the first time I'm touching the > ipfw code, so there is a very high probability that this is not the > right way, or not even close to the right direction; feel free to point > it out :) I wonder; did this actually make it to the list? (I received a warning about an attachment that would require the recipient to execute a program on their end.. what is it about three text/plain files that would cause this? or is it the PGP/MIME sig?) In case it didn't, the patch and the big rule are both at http://people.FreeBSD.org/~roam/ipfw2/ G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just finished reading.