[Bug 208035] IPFW firewall heap overflow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Mar 15 17:50:01 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208035

            Bug ID: 208035
           Summary: IPFW firewall heap overflow
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

There is a heap overflow, triggerable as root only in the IPFW firewall
handling code.

sys/netpfil/ipfw/ip_fw_nat.c:

static int
ipfw_nat_cfg(struct sockopt *sopt)
{
        struct cfg_nat_legacy *cfg;
        struct nat44_cfg_nat *ucfg;
        struct cfg_redir_legacy *rdir;
        struct nat44_cfg_redir *urdir;
        char *buf;
        size_t len, len2;
        int error, i;

        len = sopt->sopt_valsize;
        len2 = len + 128;

        /*
         * Allocate 2x buffer to store converted structures.
         * new redir_cfg has shrinked, so we're sure that
         * new buffer size is enough.
         */
        buf = malloc(roundup2(len, 8) + len2, M_TEMP, M_WAITOK | M_ZERO);
        error = sooptcopyin(sopt, buf, len, sizeof(struct cfg_nat_legacy));

The size calculation passed to `malloc` can be overflown, resulting in heap
overflow on `sooptcopyin`.

This function is called when the `IP_FW_NAT_CFG` command is passed to
`ipfw_ctl`:

int
ipfw_ctl(struct sockopt *sopt)
{
        ...

        /* Save original valsize before it is altered via sooptcopyin() */
        valsize = sopt->sopt_valsize;
        opt = sopt->sopt_name;

        ...

        switch (opt) {
                ...
case IP_FW_NAT_CFG:
                if (IPFW_NAT_LOADED)
                        error = ipfw_nat_cfg_ptr(sopt);
                else {
                        printf("IP_FW_NAT_CFG: %s\n",
                            "ipfw_nat not present, please load it");
                        error = EINVAL;
                }
                break;

`ipfw_ctl` is only called by `ipfw_ctl3`, which is available only to root
processes (must have `PRIV_NETINET_IPFW` privilege):

int
ipfw_ctl3(struct sockopt *sopt)
{
        ...

        error = priv_check(sopt->sopt_td, PRIV_NETINET_IPFW);
        if (error != 0)
                return (error);

        if (sopt->sopt_name != IP_FW3)
                return (ipfw_ctl(sopt));

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list