PF ioctl(DIOCADDADDR) possible bug
Boris Polevoy
vapcom at mail.ru
Fri Aug 5 11:06:25 GMT 2005
Hello, All!
I found some possible problem in funcion pf_ioctl.c/pfioctl() in FreeBSD 5.4-RELEASE PF.
To add PF rdr (nat) rule in active ruleset we have to do several steps:
1) get pool ticket with ioctl(DIOCBEGINADDRS);
2) create addresses pool with several ioctl(DIOCADDADDR);
3) get ticket for add rule with ioctl(DIOCCHANGERULE);
4) add rule with ioctl(DIOCCHANGERULE).
In step 2 ioctl(DIOCADDADDR) do not check pool ticket value, and there is possible situation of malicious or failure
address pool addition whithout geting pool ticket from another process.
Is it bug or not?
With best regards
Boris Polevoy
More information about the freebsd-pf
mailing list