Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 May 2003 16:58:23 +0300
From:      Peter Pentchev <roam@ringlet.net>
To:        ipfw@FreeBSD.org
Subject:   Re: ipfw2 buffer overruns
Message-ID:  <20030516135823.GB13482@straylight.oblivion.bg>
In-Reply-To: <20030516135052.GA13482@straylight.oblivion.bg>
References:  <20030516135052.GA13482@straylight.oblivion.bg>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, May 16, 2003 at 04:50:52PM +0300, Peter Pentchev wrote:
> Hi,
> 
> A friend of mine, Kiril Todorov (CC'd), recently came across some quite
> strange ipfw2 behavior on -STABLE: when given a specific rule to add,
> ipfw would hang.  A bit of digging into src/sbin/ipfw/ipfw2.c revealed a
> couple of internal buffers - actbuf[], cmdbuf[], rulebuf[] - with a set
> length of 255, and a couple of pointers traversing those buffers which
> were never actually checked for running over the end.  Thus, it was
> trivial to construct a long enough 'ipfw add' command that would
> eventually overrun the buffer, with much confusion ensuing.
> 
> Attached is a sample rule that causes this, and a patch which performs a
> couple of length checks and refuses to add the rule if a buffer overrun
> is detected.  This is not the most elegant solution, and in a couple of
> the checks the damage is already done, but still...
> 
> The patch is against -STABLE; it applies to -CURRENT with just a couple
> of offset lines, and the resulting source compiles; I do not currently
> have a functional -CURRENT machine to test it on, though.  It works on
> -STABLE, correctly diagnosing the oversized rule, and some other tests I
> threw at it in a hurry.  Still, this is the first time I'm touching the
> ipfw code, so there is a very high probability that this is not the
> right way, or not even close to the right direction; feel free to point
> it out :)

I wonder; did this actually make it to the list?  (I received a warning
about an attachment that would require the recipient to execute a
program on their end.. what is it about three text/plain files that
would cause this? or is it the PGP/MIME sig?)

In case it didn't, the patch and the big rule are both at
http://people.FreeBSD.org/~roam/ipfw2/

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
You have, of course, just begun reading the sentence that you have just finished reading.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030516135823.GB13482>