NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/52536: ipfilter regression in 8.0_BETA due to double-ntohl
>Number: 52536
>Category: kern
>Synopsis: ipfilter regression in 8.0_BETA due to double-ntohl
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 10 11:45:00 +0000 2017
>Originator: Timo Buhrmester
>Release: 8.0_BETA
>Organization:
>Environment:
NetBSD lemon.pr0.tips 8.0_BETA NetBSD 8.0_BETA (LEMONKERN) #2: Mon Sep 4 21:28:49 CEST 2017 build%grapefruit.pr0.tips@localhost:/usr/obj/sys/arch/i386/compile/LEMONKERN i386
>Description:
> Module Name: src
> Committed By: christos
> Date: Fri Aug 5 09:06:52 UTC 2016
>
> Modified Files:
> src/sys/external/bsd/ipf/netinet: fil.c
>
> Log Message:
> partial sync with FreeBSD
This commit made the following change to src/sys/external/bsd/ipf/netinet/fil.c:
@@ -1685,7 +1709,7 @@ ipf_pr_ipv4hdr(fr_info_t *fin)
fin->fin_crc += fi->fi_saddr;
fi->fi_daddr = ip->ip_dst.s_addr;
fin->fin_crc += fi->fi_daddr;
- if (IN_CLASSD(fi->fi_daddr))
+ if (IN_CLASSD(ntohl(fi->fi_daddr)))
fin->fin_flx |= FI_MULTICAST|FI_MBCAST;
/*
Since NetBSD's IN_CLASSD differs from FreeBSD's, IP addresses are effectively compared backwards. An address like e.g. 192.168.1.233 will be considered multicast because it /ends/ in 233.
Apparently (just guessing at this point), ipfilter doesn't keep state on multicast packets, so connectivity to addresses that are "backwards" multicast addresses is effectively broken in a whitelisting ipf setup.
>How-To-Repeat:
Run 8.0_BETA, have whitelisting ipfilter, allow (with keep state) a tcp connection to an address that is the wrong byte-order version of a multicast address, try to netcat to that host. see 'mcast' in ipmon.
>Fix:
Reverting the mentioned hunk (not the whole commit) resolves the problem on my packet filter.
Home |
Main Index |
Thread Index |
Old Index