Re: bin/58371: npfctl 'validate' or 'reload' can crash with crafted npf.conf

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,NetBSD-gnats-web%bow.st@localhost
Subject: Re: bin/58371: npfctl 'validate' or 'reload' can crash with crafted npf.conf
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Wed, 26 Jun 2024 16:10:02 +0000 (UTC)

The following reply was made to PR bin/58371; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/58371: npfctl 'validate' or 'reload' can crash with crafted npf.conf
Date: Wed, 26 Jun 2024 16:04:54 -0000 (UTC)

 NetBSD-gnats-web%bow.st@localhost writes:

 >$lan_addrs= ifaddrs($ext_if)

 >    pass stateful in proto tcp to { $lan_addrs, 192.168.1.10 } port ssh 

 $lan_addrs is assigned a value that represents a dynamic table lookup.

 The npf compiler converts the later reference into a lookup instruction
 that finishes any expression, but the match list that started with '{'
 is still open. That triggers the assertion when the parser continues
 to fetch the literal ip address.

 Reversing the order like:

     pass stateful in proto tcp to { 192.168.1.0, $lan_addrs } port ssh

 seems to succeed, but if you continue with the next line:

 >    pass stateful in on $ext_if from any to any port 655

 then npfctl segfaults.

Prev by Date: Re: kern/58335 (Kernel panic when shutting down a virtual machine with Virtio devices)
Next by Date: Re: bin/58324 (btpand -s/-S waltzes off end of array)
Previous by Thread: bin/58371: npfctl 'validate' or 'reload' can crash with crafted npf.conf
Next by Thread: Re: kern/58335 (Kernel panic when shutting down a virtual machine with Virtio devices)
Indexes:

Home | Main Index | Thread Index | Old Index