bin/52609: npf generates bad bytecode for port ranges

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/52609: npf generates bad bytecode for port ranges
From: stix%stix.id.au@localhost
Date: Tue, 10 Oct 2017 13:15:00 +0000 (UTC)

>Number:         52609
>Category:       bin
>Synopsis:       npf generates bad bytecode for port ranges
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Oct 10 13:15:00 +0000 2017
>Originator:     Paul Ripke
>Release:        NetBSD 8.0_BETA
>Organization:
Paul Ripke
"Great minds discuss ideas, average minds discuss events, small minds
 discuss people."
-- Disputed: Often attributed to Eleanor Roosevelt. 1948.
>Environment:
System: NetBSD slave 8.0_BETA NetBSD 8.0_BETA (SLAVE) #0: Sat Sep 9 12:02:11 AEST 2017 stix@slave:/home/netbsd/netbsd-8/obj.amd64/home/netbsd/netbsd-8/src/sys/arch/amd64/compile/SLAVE amd64
Architecture: x86_64
Machine: amd64
>Description:

Given rules containing a port list, where one of the elements is a port
range, the generated bytecode is incorrect.

>How-To-Repeat:

Given a sample config:

group "fubar" on wi0 {
        pass in final proto tcp to any port { 1, 4-5, 7 }
        pass in final proto tcp to any port { 4-5, 7 }
        pass in final proto tcp to any port { 1, 4-5 }
        pass in final proto tcp to any port { 4-5 }
}

The generated bytecode is:

RULE AT LINE 2
(000) ld       M[0]
(001) jeq      #0x0             jt 14   jf 2
(002) ld       M[2]
(003) jeq      #0x6             jt 4    jf 14
(004) ldx      M[1]
(005) ldh      [x + 2]
(006) jeq      #0x1             jt 13   jf 7
(007) ldh      [x + 2]
(008) jge      #0x4             jt 13   jf 9  <- should be: jt 9  jf 10
(009) jgt      #0x5             jt 10   jf 13
(010) ldh      [x + 2]
(011) jeq      #0x7             jt 13   jf 12
(012) ret      #0
(013) ret      #-1
(014) ret      #0

RULE AT LINE 3
(000) ld       M[0]
(001) jeq      #0x0             jt 12   jf 2
(002) ld       M[2]
(003) jeq      #0x6             jt 4    jf 12
(004) ldx      M[1]
(005) ldh      [x + 2]
(006) jge      #0x4             jt 11   jf 7  <- should be: jt 7  jf 8
(007) jgt      #0x5             jt 8    jf 11
(008) ldh      [x + 2]
(009) jeq      #0x7             jt 11   jf 10
(010) ret      #0
(011) ret      #-1
(012) ret      #0

RULE AT LINE 4
(000) ld       M[0]
(001) jeq      #0x0             jt 12   jf 2
(002) ld       M[2]
(003) jeq      #0x6             jt 4    jf 12
(004) ldx      M[1]
(005) ldh      [x + 2]
(006) jeq      #0x1             jt 11   jf 7
(007) ldh      [x + 2]
(008) jge      #0x4             jt 11   jf 9  <- should be: jt 9  jf 10 (or 12)
(009) jgt      #0x5             jt 10   jf 11
(010) ret      #0
(011) ret      #-1
(012) ret      #0

RULE AT LINE 5
(000) ld       M[0]
(001) jeq      #0x0             jt 9    jf 2
(002) ld       M[2]
(003) jeq      #0x6             jt 4    jf 9
(004) ldx      M[1]
(005) ldh      [x + 2]
(006) jge      #0x4             jt 7    jf 9  <- correct!
(007) jgt      #0x5             jt 9    jf 8
(008) ret      #-1
(009) ret      #0

Workaround: don't use a port range as a list element.

>Fix:

Prev by Date: Re: kern/52605 (aceride crashes)
Next by Date: Re: lib/52578 (gethostbyname has EDNS fallback but getaddrinfo does not)
Previous by Thread: kern/52608: Unexpected ATF test failure and fixes of IPsec on sparc/GuruPlug
Next by Thread: Re: lib/52578 (gethostbyname has EDNS fallback but getaddrinfo does not)
Indexes:

Home | Main Index | Thread Index | Old Index