kern/51341: ipfw rule 'deny icmp from any to any icmptype 5' matches fragmented icmp packets

Maxim Konovalov maxim at macomnet.ru
Thu Apr 24 04:20:16 PDT 2003


The following reply was made to PR kern/51341; it has been noted by GNATS.

From: Maxim Konovalov <maxim at macomnet.ru>
To: land at dnepr.net
Cc: bug-followup at freebsd.org, luigi at freebsd.org
Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
 matches fragmented icmp packets
Date: Thu, 24 Apr 2003 15:14:05 +0400 (MSD)

 Hello,
 
 Could you please test a patch below? Thanks.
 
 Index: sys/netinet/ip_fw.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
 retrieving revision 1.131.2.39
 diff -u -r1.131.2.39 ip_fw.c
 --- sys/netinet/ip_fw.c	20 Jan 2003 02:23:07 -0000	1.131.2.39
 +++ sys/netinet/ip_fw.c	24 Apr 2003 11:12:02 -0000
 @@ -1434,7 +1434,7 @@
  			struct icmp *icmp;
 
  			if (offset != 0)	/* Type isn't valid */
 -				break;
 +				continue;
  			icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
  			if (!icmptype_match(icmp, f))
  				continue;
 
 %%%
 
 -- 
 Maxim Konovalov, maxim at macomnet.ru, maxim at FreeBSD.org


More information about the freebsd-bugs mailing list