3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
246 lines
6.2 KiB
Text
246 lines
6.2 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-96:14 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: Firewall filter leak with user level ipfw
|
|
|
|
Category: core
|
|
Module: ipfw
|
|
Announced: 1996-06-24
|
|
Affects: FreeBSD -current Feb 24 1996 and later (ipfw.c rev 1.20)
|
|
FreeBSD -stable Feb 26 1996 and later (ipfw.c rev 1.15.4.2)
|
|
Corrected: Both FreeBSD -current and -stable as of Jun 23 1996
|
|
FreeBSD only: yes
|
|
|
|
Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:14/
|
|
|
|
=============================================================================
|
|
|
|
I. Background
|
|
|
|
FreeBSD is shipped with packet filtering code. This is implemented
|
|
by kernel level modules and user level programs. The user level
|
|
program ipfw, used to control the packet filtering code in the
|
|
kernel, has a bug in the way packet filter rules are interpreted.
|
|
|
|
|
|
II. Problem Description
|
|
|
|
A potential problem exists when users specify mask addresses to
|
|
ipfw(8) using the address:mask syntax. Specifically, whenever the ':'
|
|
syntax is used, the resulting mask is always 0xffffffff.
|
|
|
|
|
|
III. Impact
|
|
|
|
Whenever the address:mask syntax is used, the actual packet filtering
|
|
will differ from the expected filtering thus allowing or denying
|
|
more packets through the filter than intended.
|
|
|
|
|
|
IV. Workaround
|
|
|
|
There is a simple workaround for this problem: Do not use the
|
|
address:mask syntax. In stead, use the address/mask syntax. The
|
|
implementation of the latter way of specifying masks does not suffer
|
|
from the mentioned bug.
|
|
|
|
V. Solution
|
|
|
|
Apply one of the patches below, depending on your version of
|
|
FreeBSD. The patch is against /usr/src/sbin/ipfw/ipfw.c
|
|
|
|
The following patch applies to -stable:
|
|
|
|
|
|
Index: ipfw.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
|
|
retrieving revision 1.15.4.4
|
|
retrieving revision 1.15.4.5
|
|
diff -u -r1.15.4.4 -r1.15.4.5
|
|
- --- ipfw.c 1996/06/18 02:03:29 1.15.4.4
|
|
+++ ipfw.c 1996/06/23 20:51:37 1.15.4.5
|
|
@@ -15,7 +15,7 @@
|
|
*
|
|
* NEW command line interface for IP firewall facility
|
|
*
|
|
- - * $Id: FreeBSD-SA-96:14.ipfw.asc,v 1.1 2001/09/02 00:04:38 kris Exp $
|
|
+ * $Id: FreeBSD-SA-96:14.ipfw.asc,v 1.1 2001/09/02 00:04:38 kris Exp $
|
|
*
|
|
*/
|
|
|
|
@@ -200,7 +200,7 @@
|
|
}
|
|
|
|
if (chain->fw_flg & IP_FW_F_FRAG)
|
|
- - printf("frag ");
|
|
+ printf(" frag ");
|
|
|
|
if (chain->fw_ipopt || chain->fw_ipnopt) {
|
|
int _opt_printed = 0;
|
|
@@ -321,12 +321,22 @@
|
|
|
|
if (!inet_aton(*av,ipno))
|
|
show_usage("ip number\n");
|
|
- - if (md == ':' && !inet_aton(p,mask))
|
|
- - show_usage("ip number\n");
|
|
- - else if (md == '/')
|
|
- - mask->s_addr = htonl(0xffffffff << (32 - atoi(p)));
|
|
- - else
|
|
- - mask->s_addr = htonl(0xffffffff);
|
|
+ switch (md) {
|
|
+ case ':':
|
|
+ if (!inet_aton(p,mask))
|
|
+ show_usage("ip number\n");
|
|
+ break;
|
|
+ case '/':
|
|
+ if (atoi(p) == 0) {
|
|
+ mask->s_addr = 0;
|
|
+ } else {
|
|
+ mask->s_addr = htonl(0xffffffff << (32 - atoi(p)));
|
|
+ }
|
|
+ break;
|
|
+ default:
|
|
+ mask->s_addr = htonl(0xffffffff);
|
|
+ break;
|
|
+ }
|
|
av++;
|
|
ac--;
|
|
}
|
|
@@ -611,10 +621,9 @@
|
|
break;
|
|
case 'N':
|
|
do_resolv=1;
|
|
- - break;
|
|
- - case '?':
|
|
- - default:
|
|
- - show_usage(NULL);
|
|
+ break;
|
|
+ default:
|
|
+ show_usage(NULL);
|
|
}
|
|
|
|
ac -= optind;
|
|
@@ -645,7 +654,7 @@
|
|
} else {
|
|
show_usage(NULL);
|
|
}
|
|
- - return 0;
|
|
+ return 0;
|
|
}
|
|
|
|
int
|
|
|
|
|
|
This one applies to -current:
|
|
|
|
|
|
Index: ipfw.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
|
|
retrieving revision 1.26
|
|
retrieving revision 1.27
|
|
diff -u -r1.26 -r1.27
|
|
- --- ipfw.c 1996/06/18 01:46:34 1.26
|
|
+++ ipfw.c 1996/06/23 20:47:51 1.27
|
|
@@ -16,7 +16,7 @@
|
|
*
|
|
* NEW command line interface for IP firewall facility
|
|
*
|
|
- - * $Id: FreeBSD-SA-96:14.ipfw.asc,v 1.1 2001/09/02 00:04:38 kris Exp $
|
|
+ * $Id: FreeBSD-SA-96:14.ipfw.asc,v 1.1 2001/09/02 00:04:38 kris Exp $
|
|
*
|
|
*/
|
|
|
|
@@ -256,7 +256,7 @@
|
|
}
|
|
|
|
if (chain->fw_flg & IP_FW_F_FRAG)
|
|
- - printf("frag ");
|
|
+ printf(" frag ");
|
|
|
|
if (chain->fw_ipopt || chain->fw_ipnopt) {
|
|
int _opt_printed = 0;
|
|
@@ -408,12 +408,23 @@
|
|
|
|
if (lookup_host(*av,ipno) != 0)
|
|
show_usage("ip number\n");
|
|
- - if (md == ':' && !inet_aton(p,mask))
|
|
- - show_usage("ip number\n");
|
|
- - else if (md == '/')
|
|
- - mask->s_addr = htonl(0xffffffff << (32 - atoi(p)));
|
|
- - else
|
|
- - mask->s_addr = htonl(0xffffffff);
|
|
+ switch (md) {
|
|
+ case ':':
|
|
+ if (!inet_aton(p,mask))
|
|
+ show_usage("ip number\n");
|
|
+ break;
|
|
+ case '/':
|
|
+ if (atoi(p) == 0) {
|
|
+ mask->s_addr = 0;
|
|
+ } else {
|
|
+ mask->s_addr = htonl(0xffffffff << (32 - atoi(p)));
|
|
+ }
|
|
+ break;
|
|
+ default:
|
|
+ mask->s_addr = htonl(0xffffffff);
|
|
+ break;
|
|
+ }
|
|
+ ipno->s_addr &= mask->s_addr;
|
|
av++;
|
|
ac--;
|
|
}
|
|
@@ -788,10 +799,9 @@
|
|
break;
|
|
case 'N':
|
|
do_resolv=1;
|
|
- - break;
|
|
- - case '?':
|
|
- - default:
|
|
- - show_usage("Unrecognised switch");
|
|
+ break;
|
|
+ default:
|
|
+ show_usage("Unrecognised switch");
|
|
}
|
|
|
|
ac -= optind;
|
|
@@ -818,7 +828,7 @@
|
|
} else {
|
|
show_usage("Bad arguments");
|
|
}
|
|
- - return 0;
|
|
+ return 0;
|
|
}
|
|
|
|
int
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: security@freebsd.org
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.3ia
|
|
Charset: noconv
|
|
|
|
iQCVAwUBMc22kFUuHi5z0oilAQEOBwP/WCVQZdHqv3ITppwCee3qNbe49nbNM4gc
|
|
+s3DX4qMe4olAvpd2izhNzPJH3mrOXzKKJTrZOeouZFDUm099lS67xQnc7F343v8
|
|
iAJMtIZVlA58BmcQcSlmjqh9eqTgNyRIYpgYoefDKkgKE6eukWylariorUo+ppKe
|
|
Tnpol2BUTXo=
|
|
=Ut0+
|
|
-----END PGP SIGNATURE-----
|