diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2004-12-17 17:32:29 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2004-12-17 17:32:29 +0000 |
commit | 0df44f0926334501a08c07faea394c80864502c8 (patch) | |
tree | a5f38cb491e88689563ebbe0828f51b26381b992 | |
parent | bdf1d260e9307fce29460134545a24256ad15237 (diff) |
ICMP state entries use the ICMP ID as port for the unique state key. When
checking for a usable key, construct the key in the same way. Otherwise,
a colliding key might be missed or a state insertion might be refused even
though it could be inserted. The second case triggers the endless loop
fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
Report and test data by Srebrenko Sehic.
-rw-r--r-- | sys/net/pf.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 9260c7eac24..28bb0a313ef 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.474 2004/12/14 03:49:06 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.475 2004/12/17 17:32:28 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2166,7 +2166,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_rule *r, * similar 2 portloop in in_pcbbind */ if (!(proto == IPPROTO_TCP || proto == IPPROTO_UDP)) { - key.gwy.port = 0; + key.gwy.port = dport; if (pf_find_state_all(&key, PF_EXT_GWY, NULL) == NULL) return (0); } else if (low == 0 && high == 0) { @@ -3351,7 +3351,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, if (direction == PF_OUT) { /* check outgoing packet for BINAT/NAT */ if ((nr = pf_get_translation(pd, m, off, PF_OUT, kif, &nsn, - saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { + saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) { PF_ACPY(&pd->baddr, saddr, af); switch (af) { #ifdef INET @@ -3375,7 +3375,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, } else { /* check incoming packet for BINAT/RDR */ if ((nr = pf_get_translation(pd, m, off, PF_IN, kif, &nsn, - saddr, 0, daddr, 0, &pd->naddr, NULL)) != NULL) { + saddr, icmpid, daddr, icmpid, &pd->naddr, NULL)) != NULL) { PF_ACPY(&pd->baddr, daddr, af); switch (af) { #ifdef INET |