summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2004-12-17 17:32:29 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2004-12-17 17:32:29 +0000
commit0df44f0926334501a08c07faea394c80864502c8 (patch)
treea5f38cb491e88689563ebbe0828f51b26381b992
parentbdf1d260e9307fce29460134545a24256ad15237 (diff)
ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise, a colliding key might be missed or a state insertion might be refused even though it could be inserted. The second case triggers the endless loop fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel. Report and test data by Srebrenko Sehic.
-rw-r--r--sys/net/pf.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 9260c7eac24..28bb0a313ef 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.474 2004/12/14 03:49:06 mcbride Exp $ */
+/* $OpenBSD: pf.c,v 1.475 2004/12/17 17:32:28 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2166,7 +2166,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r,
* similar 2 portloop in in_pcbbind
*/
if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) {
- key.gwy.port = 0;
+ key.gwy.port = dport;
if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL)
return (0);
} else if (low == 0 && high == 0) {
@@ -3351,7 +3351,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
if (direction == PF_OUT) {
/* check outgoing packet for BINAT/NAT */
if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn,
- saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
+ saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) {
PF_ACPY(&pd->baddr, saddr, af);
switch (af) {
#ifdef INET
@@ -3375,7 +3375,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
} else {
/* check incoming packet for BINAT/RDR */
if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn,
- saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) {
+ saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) {
PF_ACPY(&pd->baddr, daddr, af);
switch (af) {
#ifdef INET