kern/51341: ipfw rule 'deny icmp from any to any icmptype 5' matches fragmented icmp packets (fwd)

Maxim Konovalov maxim at macomnet.ru
Thu Apr 24 04:50:23 PDT 2003


The following reply was made to PR kern/51341; it has been noted by GNATS.

From: Maxim Konovalov <maxim at macomnet.ru>
To: bug-followup at freebsd.org
Cc:  
Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
 matches fragmented icmp packets (fwd)
Date: Thu, 24 Apr 2003 15:43:12 +0400 (MSD)

 Add to audit trail.
 
 -- 
 Maxim Konovalov, maxim at macomnet.ru, maxim at FreeBSD.org
 
 ---------- Forwarded message ----------
 Date: Thu, 24 Apr 2003 14:35:58 +0300
 From: Andrey Lakhno <land at dnepr.net>
 To: Maxim Konovalov <maxim at macomnet.ru>
 Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
     matches fragmented icmp packets
 
 Hello,
 
 On Thu, 24 Apr 2003, Maxim Konovalov wrote:
 
 > Could you please test a patch below? Thanks.
 
 It works.
 Thank you !
 
 > Index: sys/netinet/ip_fw.c
 > ===================================================================
 > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
 > retrieving revision 1.131.2.39
 > diff -u -r1.131.2.39 ip_fw.c
 > --- sys/netinet/ip_fw.c	20 Jan 2003 02:23:07 -0000	1.131.2.39
 > +++ sys/netinet/ip_fw.c	24 Apr 2003 11:12:02 -0000
 > @@ -1434,7 +1434,7 @@
 >  			struct icmp *icmp;
 >
 >  			if (offset != 0)	/* Type isn't valid */
 > -				break;
 > +				continue;
 >  			icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
 >  			if (!icmptype_match(icmp, f))
 >  				continue;
 >
 > %%%
 
 -- 
 Andrey Lakhno,
 land-ripe


More information about the freebsd-bugs mailing list