NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/54670: npfctl: bugs related tcp flags

>Number:         54670
>Category:       bin
>Synopsis:       npfctl: bugs related tcp flags
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 01 13:15:00 +0000 2019
>Originator:     Azuma OKAMOTO
>Release:        6, 7, 8, 9, current
NetBSD 9.0_BETA NetBSD 9.0_BETA (GENERIC) #6: Wed Sep 11 21:59:29 JST 2019 amd64
There is no problem in practical use.

1. Ambiguous whether the letter corresponding to tcp flag TH_CWR is 'W' or 'C'

In npf.conf, letter 'W' is interpreted as TH_CWR.

> case 'W': tfl |= TH_CWR; break;

But, 'npfctl show' shows it 'C'.

> if (tfl & TH_CWR)       buf[i++] = 'C';

2. Buffer shortage

The buffer for tcpflags allocated 16 bytes.
> char buf[16];

But, it may be used 17 bytes in the following cases:

FSRPAUE/FSRPAUEW (and trailing \0)
Add a rule including 'flags FSRPAUE/FSRPAUEW' in /etc/npf.conf.
Run 'npfctl show'.

(Only 1-byte overrun does not always cause segmentation fault.)

Home | Main Index | Thread Index | Old Index