bin/119815: ipfw - incorrect handling of missing arguments - segfault

Sun Jan 20 03:10:01 UTC 2008

>Number:         119815
>Category:       bin
>Synopsis:       ipfw - incorrect handling of missing arguments - segfault
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 20 03:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Dierk Sacher
>Release:        FreeBSD 7.0-RC1 i386
>Organization:
DSITC
>Environment:
System: FreeBSD voxx.evangelion.free 7.0-RC1 FreeBSD 7.0-RC1 #3: Sun Jan 20 00:44:35 CET 2008     root at voxx.evangelion.free:/usr/obj/usr/src/sys/VOXX  i386


>Description:
ipfw does improper input validation on the interface argument to the nat config if parameter.
	If you leave it out, ipfw will segfault because no check for ac == 0 is done in the TOK_IF: case (as is done for the ip).

	
>How-To-Repeat:
issue the following commands on a machine with the new IPFIREWALL_NAT Feature turned on:

	1. Configure a nat rule (e.g.: ipfw add 100 nat 1 ip from any to any via rl0)
	2. Issue the _wrong_ command (intentionally leaving out the interface argument): ipfw nat 1 config if 

	ipfw will segfault and dump core.



	
>Fix:
see patch against ipfw2.c

--- ipfw2.c.orig        2008-01-20 01:57:47.000000000 +0100
+++ ipfw2.c     2008-01-20 01:57:53.000000000 +0100
@@ -3994,6 +3994,8 @@
                        ac--; av++;
                        break;      
                case TOK_IF:
+                       if (ac == 0) 
+                               errx(EX_DATAERR, "missing option");
                        set_addr_dynamic(av[0], n);
                        ac--; av++;
                        break;


	


>Release-Note:
>Audit-Trail:
>Unformatted:
