bin/119815: ipfw - incorrect handling of missing arguments -
segfault
Dierk Sacher
usenet01 at blaxxtarz.de
Sun Jan 20 03:10:01 UTC 2008
>Number: 119815
>Category: bin
>Synopsis: ipfw - incorrect handling of missing arguments - segfault
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jan 20 03:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Dierk Sacher
>Release: FreeBSD 7.0-RC1 i386
>Organization:
DSITC
>Environment:
System: FreeBSD voxx.evangelion.free 7.0-RC1 FreeBSD 7.0-RC1 #3: Sun Jan 20 00:44:35 CET 2008 root at voxx.evangelion.free:/usr/obj/usr/src/sys/VOXX i386
>Description:
ipfw does improper input validation on the interface argument to the nat config if parameter.
If you leave it out, ipfw will segfault because no check for ac == 0 is done in the TOK_IF: case (as is done for the ip).
>How-To-Repeat:
issue the following commands on a machine with the new IPFIREWALL_NAT Feature turned on:
1. Configure a nat rule (e.g.: ipfw add 100 nat 1 ip from any to any via rl0)
2. Issue the _wrong_ command (intentionally leaving out the interface argument): ipfw nat 1 config if
ipfw will segfault and dump core.
>Fix:
see patch against ipfw2.c
--- ipfw2.c.orig 2008-01-20 01:57:47.000000000 +0100
+++ ipfw2.c 2008-01-20 01:57:53.000000000 +0100
@@ -3994,6 +3994,8 @@
ac--; av++;
break;
case TOK_IF:
+ if (ac == 0)
+ errx(EX_DATAERR, "missing option");
set_addr_dynamic(av[0], n);
ac--; av++;
break;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list