Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 03 Jun 2001 06:49:24 +0900 (JST)
From:      Hajimu UMEMOTO <ume@mahoroba.org>
To:        mdavis@cts.com
Cc:        freebsd-stable@freebsd.org, security@freebsd.org, wollman@freebsd.org, freebsd-print@bostonradio.org, drosih@rpi.edu
Subject:   Re: Malformed from address
Message-ID:  <20010603.064924.55505694.ume@mahoroba.org>
In-Reply-To: <000001c0eba9$4f34e1c0$271978d8@cts.com>
References:  <000001c0eb56$6d6ae250$241978d8@cts.com> <000001c0eba9$4f34e1c0$271978d8@cts.com>

next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> On Sat, 2 Jun 2001 14:16:36 -0700
>>>>> "Morgan Davis" <mdavis@cts.com> said:

mdavis> 3.  Watching tcpdump, the ports from the client systems start above the
mdavis> priviledged port range (IPPORT_RESERVED).   With each failure, they will
mdavis> reconnect and increment the originating port number.  Here are the
mdavis> starting ports numbers I saw in tcpdump for various Windows OS flavors: 

mdavis> 	23xx - Windows XP Pro (build 2475)
mdavis> 	11xx - Windows 2000 Pro
mdavis> 	10xx - Windows 2000 Server

mdavis> These are listed in order of machine uptime.  I had just rebooted the
mdavis> Win2K Server machine to do this test, so it must start at 1024
mdavis> (IPPORT_RESERVED).

Then, Windows is broken.  printer client must bind source port to
within IPPORT_RESERVED.

mdavis> In looking at the lpd.c code (and netinet/in.h), the logic in lpd.c's
mdavis> test seems to be wrong (or is missing a !):

mdavis> if (error || atoi(serv) >= IPPORT_RESERVED)
mdavis> 	fatal(0, "Malformed from address");

mdavis> This would imply that any port at or above the IPPORT_RESERVED
mdavis> threshhold is illegal, which (I think) is clearly wrong.  Shouldn't it
mdavis> be < IPPORT_RESERVED?  Or better still: 

This checking code is currect.  r-authentication requires that
connection comes from reserved port range.  Please see iruserok_sa(3)
manpage.

mdavis> if (error || atoi(serv) < IPPORT_RESERVED || atoi(serv) >
mdavis> IPPORT_HILASTAUTO)
mdavis> 	fatal(0, "Malformed from address or illegal port");

This code is wrong.  Since Unix's lpr do bind to reserved port, you
will not be able to print from Unix boxes.  If you wish to allow such
broken connection, you can simply remove reserved port checking.

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010603.064924.55505694.ume>