Date: Sun, 20 Jan 2008 02:13:49 +0100 (CET) From: Dierk Sacher <usenet01@blaxxtarz.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/119815: ipfw - incorrect handling of missing arguments - segfault Message-ID: <200801200113.m0K1DngK096624@blaxxtarz.evangelion.free> Resent-Message-ID: <200801200310.m0K3A1uN084348@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 119815 >Category: bin >Synopsis: ipfw - incorrect handling of missing arguments - segfault >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 20 03:10:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Dierk Sacher >Release: FreeBSD 7.0-RC1 i386 >Organization: DSITC >Environment: System: FreeBSD voxx.evangelion.free 7.0-RC1 FreeBSD 7.0-RC1 #3: Sun Jan 20 00:44:35 CET 2008 root@voxx.evangelion.free:/usr/obj/usr/src/sys/VOXX i386 >Description: ipfw does improper input validation on the interface argument to the nat config if parameter. If you leave it out, ipfw will segfault because no check for ac == 0 is done in the TOK_IF: case (as is done for the ip). >How-To-Repeat: issue the following commands on a machine with the new IPFIREWALL_NAT Feature turned on: 1. Configure a nat rule (e.g.: ipfw add 100 nat 1 ip from any to any via rl0) 2. Issue the _wrong_ command (intentionally leaving out the interface argument): ipfw nat 1 config if ipfw will segfault and dump core. >Fix: see patch against ipfw2.c --- ipfw2.c.orig 2008-01-20 01:57:47.000000000 +0100 +++ ipfw2.c 2008-01-20 01:57:53.000000000 +0100 @@ -3994,6 +3994,8 @@ ac--; av++; break; case TOK_IF: + if (ac == 0) + errx(EX_DATAERR, "missing option"); set_addr_dynamic(av[0], n); ac--; av++; break; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801200113.m0K1DngK096624>