NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/41647: ipfilter: ip-sync accesses wrong rule in ipfsync_state

>Number:         41647
>Category:       kern
>Synopsis:       ipfilter: ip-sync accesses wrong rule in ipfsync_state
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 29 12:05:00 +0000 2009
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 5.0
Dr. Nagler & Company GmbH
System: NetBSD s012 4.0 NetBSD 4.0 (NSW-S012) #9: Fri Mar 13 12:31:52 CET 2009 
wgstuken@s012:/usr/src/sys/arch/amd64/compile/NSW-S012 amd64
Architecture: x86_64
Machine: amd64
        In /usr/sys/sys/dist/ipf/netinet/ip_sync.c around line 568 the routine 
fr_getrulen() is called
        in order to find "the same rule on the slave as on the master".
        This function is located in /usr/src/sys/dist/ipf/netinet/fil.c around 
line 3442.
        The comment of this function say, that it should return a rule of a 
group - if any.
        But it uses the member fg_head in the group structure, that will point 
to the first rule, that
        defines an entry to the group - this means the first rule with "head 
<n>" in it.
        So it will return a pointer to a rule located in the list where the 
head-entry is in - not
        a pointer to a rule inside of the group!
        So either the comment/description of this routine is wrong or the 
ip_sync code gets a wrong
        pointer. The fr_getrulen() functions is used only in ipfsync_state() 
that itself is used
        only in ipfsync_write() in the whole NetBSD sources. ipfsync_write() 
seems to be a kernel
        function (_KERNEL must be defined).
        A comment above states that this routine is for debugging only - so it 
is possible that this
        issue does harm operation of NetBSD.
        The function ipfsync_write() is used in iplwrite() in 
        if IPFILTER_SYNC is defined - and it looks like that this is an option 
not used in any kernel
        The same "problem" seems to be in the function fr_rulen(), but that 
functions is not used
        anywhere in the whole source tree (/usr/src). Perhaps that one should 
be disabled via "#if 0".
        Seen by a look into the sources while trying to understand  the 
behaviour of group processing.
        We do not use the ip_sync stuff at all as far as my understanding of 
this part of the kernel
        has grown till now.
        depends on the correct behaviour of the code:
        either use fg_start instead of fg_head
        or correct the comment to avoid further confusion.


Home | Main Index | Thread Index | Old Index