Date: Thu, 28 Aug 2003 17:18:23 +0200 From: Flemming Kraglund <fk@kraglund.net> To: freebsd-stable@freebsd.org, freebsd-current@freebsd.org Subject: natd fw punch rule leak found (and fix) Message-ID: <3F4E1D3F.219BBC7A@kraglund.net>
next in thread | raw e-mail | index | archive | help
On a busy ftp site it was noticed that natd stopped punching ftp data
session after some time, it was leaking the fw rule numbers allocated
for punching. This happens if the ftp clients or ftp servers TCP layer
was retransmitting the PORT/EPRT or the passive replies or as a DoS
from a malicious client, then natd will allocated a new fw rule number
for the punch overwriting the old allocated number, this happens even
if the punch would not occur due to one of the port numbers being zero.
The fix is simple, in libalias/alias_db.c in PunchFWHole add the
following after the initial packetAliasMode test:
/* FK, fix fw rule slots leak */
/* PROBLEM: we get double allocation for a link if there is a
retransmission of a packet with session information
(ftp PORT command etc) or a DoS client that keeps sending
such commands, this double allocation will overwrite the
previous allocated rule slot number.
FIX: If one of the ports for the FW rule is zero then no
rule is punched so don't do the punch stuff.
*/
if (GetOriginalPort(link) == 0 || GetDestPort(link) == 0)
return;
ClearFWHole(link);
/* FK, fix fw rule slots leak ends */
/FK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F4E1D3F.219BBC7A>