Re: PF Fix

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: PF Fix

Marc Balmer-2
Max Laier has problems getting Email through the OpenBSD MX, so I am  
forwarding this for him.

- Marc Balmer


Von: Max Laier <[hidden email]>
Datum: 20. August 2009 17:33:24 GMT+02:00
An: [hidden email]
Betreff: Fwd: PF fix.


The problem Pawel discovered (s.b.) still exists in OpenBSD current.  
I sent
Pawel's analysis to Henning and Ryan yesterday, but since I haven't  
heard back
yet, I'm guessing summer holidays.  So could somebody take a look?  
The patch
is against FreeBSD, but should apply with a bit of fuzz and -p3 in  
OpenBSD
src/sys just as well.  Thanks.

----------  Forwarded Message  ----------

Subject: PF fix.
Date: Wednesday 19 August 2009
From: Pawel Jakub Dawidek <[hidden email]>
To: [hidden email]

Hi.

I just found a bug in PF where the order of arguments for memcpy() is
messed up. If you have rule like this:

        pass on net1 from (net0) to any

And more than 64 aliases on net0, this will fail.

I also changed pfi_buffer_cnt to pfi_buffer_max, because the if
statement suggests that pfi_buffer_cnt can be greater than
pfi_buffer_max. If that would be true ten we would try to copy too much.
Although from looking at the code I don't believe this is possible.

The patch is here:

        http://people.freebsd.org/~pjd/patches/pf_if.c.patch

--
Pawel Jakub Dawidek                       http://www.wheel.pl
[hidden email]                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

-------------------------------------------------------

--- sys/contrib/pf/net/pf_if.c (wersja 196288)
+++ sys/contrib/pf/net/pf_if.c (kopia robocza)
@@ -663,7 +663,7 @@ pfi_address_add(struct sockaddr *sa, int af, int n
                            "(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX);
                        return;
                }
- memcpy(pfi_buffer, p, pfi_buffer_cnt * sizeof(*pfi_buffer));
+ memcpy(p, pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
                /* no need to zero buffer */
                free(pfi_buffer, PFI_MTYPE);
                pfi_buffer = p;


--
/"\  Best regards,                      | [hidden email]
\ /  Max Laier                          | ICQ #67774661
X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Reply | Threaded
Open this post in threaded view
|

Re: PF Fix

Max Laier
Trying to make sure this one doesn't fall through the cracks - can anyone
please take a look - it's very straight forward.

On Friday 21 August 2009 09:26:10 Marc Balmer wrote:

> Max Laier has problems getting Email through the OpenBSD MX, so I am
> forwarding this for him.
>
> - Marc Balmer
>
>
> Von: Max Laier <[hidden email]>
> Datum: 20. August 2009 17:33:24 GMT+02:00
> An: [hidden email]
> Betreff: Fwd: PF fix.
>
>
> The problem Pawel discovered (s.b.) still exists in OpenBSD current.
> I sent
> Pawel's analysis to Henning and Ryan yesterday, but since I haven't
> heard back
> yet, I'm guessing summer holidays.  So could somebody take a look?
> The patch
> is against FreeBSD, but should apply with a bit of fuzz and -p3 in
> OpenBSD
> src/sys just as well.  Thanks.
>
> ----------  Forwarded Message  ----------
>
> Subject: PF fix.
> Date: Wednesday 19 August 2009
> From: Pawel Jakub Dawidek <[hidden email]>
> To: [hidden email]
>
> Hi.
>
> I just found a bug in PF where the order of arguments for memcpy() is
> messed up. If you have rule like this:
>
> pass on net1 from (net0) to any
>
> And more than 64 aliases on net0, this will fail.
>
> I also changed pfi_buffer_cnt to pfi_buffer_max, because the if
> statement suggests that pfi_buffer_cnt can be greater than
> pfi_buffer_max. If that would be true ten we would try to copy too much.
> Although from looking at the code I don't believe this is possible.
>
> The patch is here:
>
> http://people.freebsd.org/~pjd/patches/pf_if.c.patch

--
/"\  Best regards,                      | [hidden email]
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News