diff options
-rw-r--r-- | sbin/ipf/HISTORY | 26 | ||||
-rw-r--r-- | sbin/ipf/parse.c | 31 | ||||
-rw-r--r-- | sbin/ipfstat/fils.c | 12 | ||||
-rw-r--r-- | sbin/ipnat/ipnat.c | 4 | ||||
-rw-r--r-- | sbin/ipnat/natparse.c | 10 | ||||
-rw-r--r-- | sys/netinet/fil.c | 10 | ||||
-rw-r--r-- | sys/netinet/ip_fil.c | 18 | ||||
-rw-r--r-- | sys/netinet/ip_fil_compat.h | 6 | ||||
-rw-r--r-- | sys/netinet/ip_frag.c | 7 | ||||
-rw-r--r-- | sys/netinet/ip_ftp_pxy.c | 46 | ||||
-rw-r--r-- | sys/netinet/ip_nat.c | 55 | ||||
-rw-r--r-- | sys/netinet/ip_proxy.c | 7 | ||||
-rw-r--r-- | sys/netinet/ip_state.c | 57 | ||||
-rw-r--r-- | sys/netinet/ip_state.h | 8 | ||||
-rw-r--r-- | sys/netinet/ipl.h | 4 | ||||
-rw-r--r-- | usr.sbin/ipmon/ipmon.c | 67 |
16 files changed, 279 insertions, 89 deletions
diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY index be00c1875f4..5c81d705dab 100644 --- a/sbin/ipf/HISTORY +++ b/sbin/ipf/HISTORY @@ -1,4 +1,4 @@ -# $OpenBSD: HISTORY,v 1.8 2000/05/24 21:59:11 kjell Exp $ +# $OpenBSD: HISTORY,v 1.9 2000/08/10 05:50:27 kjell Exp $ # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. @@ -21,6 +21,30 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.3.18 08/08/2000 - Released + +fix up command checking in the ftp proxy + +fix getting the version from the kernel for solaris + +fix icmp state checking bug + +print out better information for ICMP packets in ipmon + +open ipfilter device read only if we know we can + +3.3.17 08/07/2000 - Released + +increase default state table sizes + +don't apply patches to FreeBSD twice + +fix parsing of icmp code when using words + +fix printing of icmp code when it is 0 + +add compatibility #ifdef for FreeBSD's CSUM_DELAY_DATA + 3.3.16 23/05/2000 - Released don't add TCP state if it is an RST packet and (attempt) to send out diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c index 8b3e04f1027..9b6b38f10c5 100644 --- a/sbin/ipf/parse.c +++ b/sbin/ipf/parse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.c,v 1.34 2000/04/05 05:35:28 kjell Exp $ */ +/* $OpenBSD: parse.c,v 1.35 2000/08/10 05:50:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.12 2000/03/08 11:43:55 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.14 2000/06/21 14:50:52 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -1268,14 +1268,20 @@ int linenum; linenum, **cp); return -1; } - fp->fr_icmp |= (u_short)i; - fp->fr_icmpm = (u_short)0xffff; - (*cp)++; - return 0; + } else { + i = icmpcode(**cp); + if (i == -1) { + fprintf(stderr, + "%d: Invalid icmp code (%s) specified\n", + linenum, **cp); + return -1; + } } - fprintf(stderr, "%d: Invalid icmp code (%s) specified\n", - linenum, **cp); - return -1; + i &= 0xff; + fp->fr_icmp |= (u_short)i; + fp->fr_icmpm = (u_short)0xffff; + (*cp)++; + return 0; } @@ -1295,9 +1301,8 @@ char *str; char *s; int i, len; - if (!(s = strrchr(str, ')'))) - return -1; - *s = '\0'; + if ((s = strrchr(str, ')'))) + *s = '\0'; if (isdigit(*str)) { if (!ratoi(str, &i, 0, 255)) return -1; @@ -1565,7 +1570,7 @@ struct frentry *fp; printf(" icmp-type %s", icmptypes[type]); else printf(" icmp-type %d", type); - if (code) + if (ntohs(fp->fr_icmpm) & 0xff) printf(" code %d", code); } if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) { diff --git a/sbin/ipfstat/fils.c b/sbin/ipfstat/fils.c index 548c021a2aa..e92236fb230 100644 --- a/sbin/ipfstat/fils.c +++ b/sbin/ipfstat/fils.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fils.c,v 1.20 2000/03/13 23:40:19 kjell Exp $ */ +/* $OpenBSD: fils.c,v 1.21 2000/08/10 05:50:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -53,7 +53,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.6 2000/02/23 11:16:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.7 2000/05/24 20:34:56 darrenr Exp $"; #endif #define F_IN 0 @@ -314,15 +314,15 @@ frentry_t *fp; fp->fr_flags |= FR_OUTQUE; if (opts & (OPT_HITS|OPT_VERBOSE)) #ifdef USE_QUAD_T - printf("%qd ", fp->fr_hits); + printf("%qu ", fp->fr_hits); #else - printf("%ld ", fp->fr_hits); + printf("%lu ", fp->fr_hits); #endif if (opts & (OPT_ACCNT|OPT_VERBOSE)) #ifdef USE_QUAD_T - printf("%qd ", fp->fr_bytes); + printf("%qu ", fp->fr_bytes); #else - printf("%ld ", fp->fr_bytes); + printf("%lu ", fp->fr_bytes); #endif if (opts & OPT_SHOWLINENO) printf("@%d ", n); diff --git a/sbin/ipnat/ipnat.c b/sbin/ipnat/ipnat.c index e9e9a17f8b7..3cfc24a5892 100644 --- a/sbin/ipnat/ipnat.c +++ b/sbin/ipnat/ipnat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipnat.c,v 1.37 2000/07/26 20:33:01 mickey Exp $ */ +/* $OpenBSD: ipnat.c,v 1.38 2000/08/10 05:50:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -58,7 +58,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.1.2.2 1999/12/04 02:09:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.1.2.3 2000/07/27 13:07:07 darrenr Exp $"; #endif diff --git a/sbin/ipnat/natparse.c b/sbin/ipnat/natparse.c index ff15cfe14e4..62c40794f15 100644 --- a/sbin/ipnat/natparse.c +++ b/sbin/ipnat/natparse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: natparse.c,v 1.5 2000/05/01 06:16:48 kjell Exp $ */ +/* $OpenBSD: natparse.c,v 1.6 2000/08/10 05:50:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -55,7 +55,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.2.2.2 2000/03/25 00:37:37 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.2.2.3 2000/06/25 07:13:28 darrenr Exp $"; #endif @@ -746,7 +746,11 @@ char *msk; if (strchr(msk, '.')) return inet_addr(msk); if (strchr(msk, 'x')) - return (u_32_t)strtol(msk, NULL, 0); +#if defined(sun) && !defined(__SVR4) && !defined(__svr4__) + return (u_32_t)htonl(strtol(msk, NULL, 0)); +#else + return (u_32_t)htonl(strtoul(msk, NULL, 0)); +#endif /* * set x most significant bits */ diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c index 676b5418e0f..828ad128d60 100644 --- a/sys/netinet/fil.c +++ b/sys/netinet/fil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fil.c,v 1.25 2000/05/24 21:59:10 kjell Exp $ */ +/* $OpenBSD: fil.c,v 1.26 2000/08/10 05:50:25 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $"; #endif #include <sys/errno.h> @@ -23,6 +23,9 @@ static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42 #endif #if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \ (__FreeBSD_version >= 220000) +# if (__FreeBSD_version >= 400019) +# define CSUM_DELAY_DATA +# endif # include <sys/filio.h> # include <sys/fcntl.h> #else @@ -1187,7 +1190,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $IPFilter: fil.c,v 2.3.2.20 2000/05/22 06:57:42 darrenr Exp $ + * $IPFilter: fil.c,v 2.3.2.22 2000/07/08 02:13:28 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1592,6 +1595,7 @@ void frsync() ip_natsync(ifp); ip_statesync(ifp); } + ip_natsync((struct ifnet *)-1); # endif WRITE_ENTER(&ipf_mutex); diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c index 5f5cb113d24..b8243712c19 100644 --- a/sys/netinet/ip_fil.c +++ b/sys/netinet/ip_fil.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil.c,v 1.35 2000/05/24 21:59:11 kjell Exp $ */ +/* $OpenBSD: ip_fil.c,v 1.36 2000/08/10 05:50:25 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.21 2000/05/22 06:57:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.4.2.22 2000/07/08 02:43:47 darrenr Exp $"; #endif #ifndef SOLARIS @@ -1401,15 +1401,29 @@ char *name; if (!ifneta) { ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2); + if (!ifneta) + return NULL; ifneta[1] = NULL; ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp)); + if (!ifneta[0]) { + free(ifneta); + return NULL; + } nifs = 1; } else { nifs++; ifneta = (struct ifnet **)realloc(ifneta, (nifs + 1) * sizeof(*ifa)); + if (!ifneta) { + nifs = 0; + return NULL; + } ifneta[nifs] = NULL; ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp)); + if (!ifneta[nifs - 1]) { + nifs--; + return NULL; + } } ifp = ifneta[nifs - 1]; diff --git a/sys/netinet/ip_fil_compat.h b/sys/netinet/ip_fil_compat.h index d9c078e47e3..97f420e12ae 100644 --- a/sys/netinet/ip_fil_compat.h +++ b/sys/netinet/ip_fil_compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_fil_compat.h,v 1.17 2000/06/16 21:47:16 provos Exp $ */ +/* $OpenBSD: ip_fil_compat.h,v 1.18 2000/08/10 05:50:26 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -149,6 +149,10 @@ typedef unsigned long u_32_t; # endif #endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */ +#ifndef MAX +#define MAX(a,b) (((a) > (b)) ? (a) : (b)) +#endif + /* * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108. * diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c index e2780d3e256..4ac9b87c98a 100644 --- a/sys/netinet/ip_frag.c +++ b/sys/netinet/ip_frag.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_frag.c,v 1.17 2000/03/13 23:40:18 kjell Exp $ */ +/* $OpenBSD: ip_frag.c,v 1.18 2000/08/10 05:50:26 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.4.2.4 1999/11/28 04:52:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.4.2.5 2000/06/06 15:50:48 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -139,6 +139,9 @@ ipfr_t *table[]; ipfr_t **fp, *fra, frag; u_int idx; + if (ipfr_inuse >= IPFT_SIZE) + return NULL; + frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c index 755bbe4efca..16ec4c3edf5 100644 --- a/sys/netinet/ip_ftp_pxy.c +++ b/sys/netinet/ip_ftp_pxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ftp_pxy.c,v 1.10 2000/04/12 21:32:39 kjell Exp $ */ +/* $OpenBSD: ip_ftp_pxy.c,v 1.11 2000/08/10 05:50:26 kjell Exp $ */ /* * Simple FTP transparent proxy for in-kernel use. For use with the NAT @@ -9,7 +9,10 @@ extern kmutex_t ipf_rw; #endif #define isdigit(x) ((x) >= '0' && (x) <= '9') -#define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A') +#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z')) +#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z')) +#define isalpha(x) (isupper(x) || islower(x)) +#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A') #define IPF_FTP_PROXY @@ -26,7 +29,7 @@ int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *)); int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *)); -int ippr_ftp_complete __P((char *, size_t)); +int ippr_ftp_complete __P((char *, size_t, char *)); u_short ipf_ftp_atoi __P((char **)); @@ -46,8 +49,8 @@ int ippr_ftp_init() } -int ippr_ftp_complete(buf, len) -char *buf; +int ippr_ftp_complete(buf, len, cbuf) +char *buf, *cbuf; size_t len; { register char *s, c; @@ -74,17 +77,22 @@ size_t len; return -1; } else return -1; - } else if (isupper(c)) { + } else if (isalpha(c)) { + cbuf[0] = toupper(c); c = *s++; i--; - if (isupper(c)) { + if (isalpha(c)) { + cbuf[1] = toupper(c); c = *s++; i--; - if (isupper(c)) { + if (isalpha(c)) { + cbuf[2] = toupper(c); c = *s++; i--; - if (isupper(c)) { + if (isalpha(c)) { + cbuf[3] = toupper(c); c = *s++; + cbuf[4] = c; i--; if (c != ' ') return -1; @@ -164,7 +172,7 @@ fr_info_t *fin; ip_t *ip; nat_t *nat; { - char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s; + char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s, cmd[6]; tcphdr_t *tcp, tcph, *tcp2 = &tcph; size_t nlen = 0, dlen, olen; u_short a5, a6, sp, dp; @@ -196,26 +204,27 @@ nat_t *nat; if (dlen > 0) m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif - if (dlen == 0) + if (dlen <= 0) return 0; + bzero(cmd, sizeof(cmd)); portbuf[sizeof(portbuf) - 1] = '\0'; *newbuf = '\0'; /* * Check that a user is progressing through the login ok. */ - if (ippr_ftp_complete(portbuf, dlen)) + if (ippr_ftp_complete(portbuf, dlen, cmd)) return 0; ftp = nat->nat_aps->aps_data; switch (ftp->ftp_passok) { case 0 : - if (!strncmp(portbuf, "USER ", 5)) + if (!strncmp(cmd, "USER ", 5)) ftp->ftp_passok = 1; break; case 2 : - if (!strncmp(portbuf, "PASS ", 5)) + if (!strncmp(cmd, "PASS ", 5)) ftp->ftp_passok = 3; break; } @@ -224,7 +233,7 @@ nat_t *nat; /* * Check for client sending out PORT message. */ - if (!ippr_ftp_pasvonly && !strncmp(portbuf, "PORT ", 5)) { + if (!ippr_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) { if (dlen < IPF_MINPORTLEN) return 0; } else @@ -391,7 +400,7 @@ fr_info_t *fin; ip_t *ip; nat_t *nat; { - char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s; + char portbuf[IPF_FTPBUFSZ], newbuf[IPF_FTPBUFSZ], *s, cmd[6]; int off, olen, dlen, nlen = 0, inc = 0; tcphdr_t tcph, *tcp2 = &tcph; struct in_addr swip, swip2; @@ -422,8 +431,9 @@ nat_t *nat; if (dlen > 0) m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif - if (dlen == 0) + if (dlen <= 0) return 0; + bzero(cmd, sizeof(cmd)); portbuf[sizeof(portbuf) - 1] = '\0'; *newbuf = '\0'; @@ -450,7 +460,7 @@ nat_t *nat; break; } - if (ippr_ftp_complete(portbuf, dlen) || (ftp->ftp_passok != 4)) + if (ippr_ftp_complete(portbuf, dlen, cmd) || (ftp->ftp_passok != 4)) return 0; /* diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c index 6bf634f9c9c..a6283e04d34 100644 --- a/sys/netinet/ip_nat.c +++ b/sys/netinet/ip_nat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_nat.c,v 1.33 2000/07/03 04:50:05 aaron Exp $ */ +/* $OpenBSD: ip_nat.c,v 1.34 2000/08/10 05:50:26 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. @@ -11,7 +11,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.2.2.18 2000/05/19 15:52:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.2.2.21 2000/08/08 16:00:33 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -410,7 +410,7 @@ int mode; * mapping range. In all cases, the range is inclusive of * the start and ending IP addresses. * If to a CIDR address, lose 2: broadcast + network address - * (so subtract 1) + * (so subtract 1) * If to a range, add one. * If to a single IP address, set to 1. */ @@ -614,9 +614,9 @@ void nat_ifdetach(ifp) struct ifnet *ifp; { - ipnat_t *n, **np = &nat_list; + ipnat_t *n, **np; - while ((n = *np)) { + for (np = &nat_list; (n = *np) != NULL; np = &n->in_next) { *np = n->in_next; if (!n->in_use) { if (n->in_apr) @@ -627,6 +627,7 @@ nat_ifdetach(ifp) n->in_flags |= IPN_DELETE; n->in_next = NULL; } + n = NULL; } } @@ -1027,11 +1028,13 @@ nat_t *nat_icmpinlookup(ip, fin) ip_t *ip; fr_info_t *fin; { - icmphdr_t *icmp; tcphdr_t *tcp = NULL; + icmphdr_t *icmp; ip_t *oip; - int flags = 0, type; + int flags = 0, type, minlen; + if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) + return NULL; icmp = (icmphdr_t *)fin->fin_dp; /* * Does it at least have the return (basic) IP header ? @@ -1050,13 +1053,43 @@ fr_info_t *fin; return NULL; oip = (ip_t *)((char *)fin->fin_dp + 8); - if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) + minlen = (oip->ip_hl << 2); + if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) + return NULL; + /* + * Is the buffer big enough for all of it ? It's the size of the IP + * header claimed in the encapsulated part which is of concern. It + * may be too big to be in this buffer but not so big that it's + * outside the ICMP packet, leading to TCP deref's causing problems. + * This is possible because we don't know how big oip_hl is when we + * do the pullup early in fr_check() and thus can't gaurantee it is + * all here now. + */ +#ifdef _KERNEL + { + mb_t *m; + +# if SOLARIS + m = fin->fin_qfm; + if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr) return NULL; +# else + m = *(mb_t **)fin->fin_mp; + if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > + (char *)ip + m->m_len) + return NULL; +# endif + } +#endif + if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; if (flags & IPN_TCPUDP) { + minlen += 8; /* + 64bits of data to get ports */ + if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) + return NULL; tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, @@ -1135,7 +1168,10 @@ u_int *nflags; if ((flags & IPN_TCPUDP) != 0) { tcphdr_t *tcp; - /* XXX - what if this is bogus hl and we go off the end ? */ + /* + * XXX - what if this is bogus hl and we go off the end ? + * In this case, nat_icmpinlookup() will have returned NULL. + */ tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); if (nat->nat_dir == NAT_OUTBOUND) { @@ -1466,6 +1502,7 @@ maskloop: } else if (ip->ip_p == IPPROTO_ICMP) { nat->nat_age = fr_defnaticmpage; } + if (csump) { if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(csump, nat->nat_sumd[1], diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c index 871183209f1..d6803d78744 100644 --- a/sys/netinet/ip_proxy.c +++ b/sys/netinet/ip_proxy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_proxy.c,v 1.10 2000/06/16 21:47:16 provos Exp $ */ +/* $OpenBSD: ip_proxy.c,v 1.11 2000/08/10 05:50:26 kjell Exp $ */ /* * Copyright (C) 1997-1998 by Darren Reed. @@ -80,6 +80,11 @@ static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.2.2.4 2000/03/15 13:5 # include <sys/malloc.h> #endif + +#ifndef MIN +#define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *, fr_info_t *, nat_t *)); static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c index 983d2ca299b..51cda10dee3 100644 --- a/sys/netinet/ip_state.c +++ b/sys/netinet/ip_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_state.c,v 1.22 2000/05/24 21:59:11 kjell Exp $ */ +/* $OpenBSD: ip_state.c,v 1.23 2000/08/10 05:50:26 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.25 2000/05/22 06:57:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.3.2.28 2000/08/08 16:00:35 darrenr Exp $"; #endif #include <sys/errno.h> @@ -152,7 +152,7 @@ static ips_stat_t *fr_statetstats() * flush state tables. two actions currently defined: * which == 0 : flush all state table entries * which == 1 : flush TCP connections which have started to close but are - * stuck for some reason. + * stuck for some reason. */ static int fr_state_flush(which) int which; @@ -679,12 +679,12 @@ fr_info_t *fin; register u_char pr; struct icmp *ic; u_short savelen; + icmphdr_t *icmp; fr_info_t ofin; tcphdr_t *tcp; - icmphdr_t *icmp; + int type, len; frentry_t *fr; ip_t *oip; - int type; u_int hv; /* @@ -708,6 +708,38 @@ fr_info_t *fin; if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) return NULL; + /* + * Sanity Checks. + */ + len = fin->fin_dlen - ICMPERR_ICMPHLEN; + if ((len <= 0) || ((oip->ip_hl << 2) > len)) + return NULL; + + /* + * Is the buffer big enough for all of it ? It's the size of the IP + * header claimed in the encapsulated part which is of concern. It + * may be too big to be in this buffer but not so big that it's + * outside the ICMP packet, leading to TCP deref's causing problems. + * This is possible because we don't know how big oip_hl is when we + * do the pullup early in fr_check() and thus can't gaurantee it is + * all here now. + */ +#ifdef _KERNEL + { + mb_t *m; + +# if SOLARIS + m = fin->fin_qfm; + if ((char *)oip + len > (char *)m->b_wptr) + return NULL; +# else + m = *(mb_t **)fin->fin_mp; + if ((char *)oip + len > (char *)ip + m->m_len) + return NULL; +# endif + } +#endif + if (oip->ip_p == IPPROTO_ICMP) { icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2)); @@ -738,9 +770,10 @@ fr_info_t *fin; } hv %= fr_statesize; - oip->ip_len = ntohs(oip->ip_len); + savelen = oip->ip_len; + oip->ip_len = len; fr_makefrip(oip->ip_hl << 2, oip, &ofin); - oip->ip_len = htons(oip->ip_len); + oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ @@ -795,7 +828,7 @@ fr_info_t *fin; * order. Any change we make must be undone afterwards. */ savelen = oip->ip_len; - oip->ip_len = ip->ip_len - (ip->ip_hl << 2) - ICMPERR_ICMPHLEN; + oip->ip_len = len; fr_makefrip(oip->ip_hl << 2, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; @@ -899,7 +932,15 @@ fr_info_t *fin; case IPPROTO_TCP : { register u_short dport = tcp->th_dport, sport = tcp->th_sport; + register int i; + i = tcp->th_flags; + /* + * Just plain ignore RST flag set with either FIN or SYN. + */ + if ((i & TH_RST) && + ((i & (TH_FIN|TH_SYN|TH_RST)) != TH_RST)) + break; tryagain = 0; retry_tcp: hvm = hv % fr_statesize; diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h index 5174f8571d4..edfcc8d6e3a 100644 --- a/sys/netinet/ip_state.h +++ b/sys/netinet/ip_state.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_state.h,v 1.14 2000/04/13 17:13:42 kjell Exp $ */ +/* $OpenBSD: ip_state.h,v 1.15 2000/08/10 05:50:26 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. @@ -8,17 +8,17 @@ * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $IPFilter: ip_state.h,v 2.1.2.4 2000/02/23 15:23:27 darrenr Exp $ + * $IPFilter: ip_state.h,v 2.1.2.5 2000/07/08 02:15:56 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ #ifndef IPSTATE_SIZE -# define IPSTATE_SIZE 257 +# define IPSTATE_SIZE 5737 #endif #ifndef IPSTATE_MAX -# define IPSTATE_MAX 2048 /* Maximum number of states held */ +# define IPSTATE_MAX 4013 /* Maximum number of states held */ #endif #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h index ffdd854ff0d..1fd9dfb8feb 100644 --- a/sys/netinet/ipl.h +++ b/sys/netinet/ipl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipl.h,v 1.11 2000/05/24 21:59:11 kjell Exp $ */ +/* $OpenBSD: ipl.h,v 1.12 2000/08/10 05:50:26 kjell Exp $ */ /* * Copyright (C) 1993-1999 by Darren Reed. @@ -13,6 +13,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.3.16" +#define IPL_VERSION "IP Filter: v3.3.18" #endif diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c index 31b42559040..6b38934dbaa 100644 --- a/usr.sbin/ipmon/ipmon.c +++ b/usr.sbin/ipmon/ipmon.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipmon.c,v 1.23 2000/03/13 23:40:20 kjell Exp $ */ +/* $OpenBSD: ipmon.c,v 1.24 2000/08/10 05:50:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipmon.c,v 2.3.2.5 2000/02/16 14:40:39 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipmon.c,v 2.3.2.6 2000/08/07 13:04:51 darrenr Exp $"; #endif #ifndef SOLARIS @@ -579,10 +579,11 @@ int blen; { tcphdr_t *tp; struct icmp *ic; + struct icmp *icmphdr; struct tm *tm; char *t, *proto; u_short hl, p; - int i, lvl, res, len; + int i, lvl, res, len, ipoff; ip_t *ipc, *ip; iplog_t *ipl; ipflog_t *ipf; @@ -713,19 +714,57 @@ int blen; ic->icmp_type == ICMP_REDIRECT || ic->icmp_type == ICMP_TIMXCEED) { ipc = &ic->icmp_ip; - tp = (tcphdr_t *)((char *)ipc + hl); - + i = ntohs(ipc->ip_len); + ipoff = ntohs(ipc->ip_off); proto = getproto(ipc->ip_p); - t += strlen(t); - (void) sprintf(t, " for %s,%s -", - hostname(res, ipc->ip_src), - portname(res, proto, (u_int)tp->th_sport)); - t += strlen(t); - (void) sprintf(t, " %s,%s PR %s len %hu %hu", - hostname(res, ipc->ip_dst), - portname(res, proto, (u_int)tp->th_dport), - proto, ipc->ip_hl << 2, ipc->ip_len); + if (!(ipoff & IP_OFFMASK) && + ((ipc->ip_p == IPPROTO_TCP) || + (ipc->ip_p == IPPROTO_UDP))) { + tp = (tcphdr_t *)((char *)ipc + hl); + + t += strlen(t); + (void) sprintf(t, " for %s,%s -", + hostname(res, ipc->ip_src), + portname(res, proto, + (u_int)tp->th_sport)); + t += strlen(t); + (void) sprintf(t, " %s,%s PR %s len %hu %hu", + hostname(res, ipc->ip_dst), + portname(res, proto, + (u_int)tp->th_dport), + proto, ipc->ip_hl << 2, ipc->ip_len); + } else if ((ipc->ip_p == IPPROTO_ICMP) && + !(ipoff & IP_OFFMASK)) { + icmphdr = (icmphdr_t *)((char *)ipc + hl); + + t += strlen(t); + (void) sprintf(t, " for %s -", + hostname(res, ipc->ip_src)); + t += strlen(t); + (void) sprintf(t, + " %s PR icmp len %hu %hu icmp %d/%d", + hostname(res, ipc->ip_dst), + ipc->ip_hl << 2, i, + icmphdr->icmp_type, icmphdr->icmp_code); + } else { + + t += strlen(t); + (void) sprintf(t, " for %s -", + hostname(res, ipc->ip_src)); + t += strlen(t); + (void) sprintf(t, " %s PR %s len %hu (%hu)", + hostname(res, ipc->ip_dst), + proto, ipc->ip_hl << 2, ipc->ip_len); + t += strlen(t); + if (ipc->ip_off & IP_OFFMASK) { + (void) sprintf(t, " frag %s%s%hu@%hu", + ipoff & IP_MF ? "+" : "", + ipoff & IP_DF ? "-" : "", + i - (ipc->ip_hl << 2), + (ipoff & IP_OFFMASK) << 3); + } + } } } else { (void) sprintf(t, "%s -> ", hostname(res, ip->ip_src)); |