tech-security: Re: ALERT: Security hole introduced by patch being backed out on releng-1-5 branch.

Subject: Re: ALERT: Security hole introduced by patch being backed out on releng-1-5 branch.
To: Steven M. Bellovin <smb@research.att.com>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-security
Date: 10/26/2001 08:08:59

In some email I received from Steven M. Bellovin, sie wrote:
> In message <200110251406.AAA07224@avalon.reed.wattle.id.au>, Darren Reed writes
> :
> >
> >It appears someone decided to remove the code which invokes pfil_hooks
> >on forwarded IPv6 packets for the NetBSD 1.5 branch, leading to it not
> >being possible to filter them.  Thanks releng-1-5, you're my heroes.
> >
> >
> Do you have a patch for 1.5.x to reinstall it?  Or should I just turn 
> off v6?

Index: ip6_forward.c
===================================================================
RCS file: /cvsroot/syssrc/sys/netinet6/ip6_forward.c,v
retrieving revision 1.12.2.4
retrieving revision 1.12.2.5
diff -c -r1.12.2.4 -r1.12.2.5
*** ip6_forward.c	2000/09/29 06:29:54	1.12.2.4
--- ip6_forward.c	2001/10/15 13:19:15	1.12.2.5
***************
*** 1,4 ****
! /*	$NetBSD: ip6_forward.c,v 1.12.2.4 2000/09/29 06:29:54 itojun Exp $	*/
  /*	$KAME: ip6_forward.c,v 1.56 2000/09/22 04:01:37 itojun Exp $	*/
  
  /*
--- 1,4 ----
! /*	$NetBSD: ip6_forward.c,v 1.12.2.5 2001/10/15 13:19:15 darrenr Exp $	*/
  /*	$KAME: ip6_forward.c,v 1.56 2000/09/22 04:01:37 itojun Exp $	*/
  
  /*
***************
*** 46,51 ****
--- 46,54 ----
  
  #include <net/if.h>
  #include <net/route.h>
+ #ifdef PFIL_HOOKS
+ #include <net/pfil.h>
+ #endif
  
  #include <netinet/in.h>
  #include <netinet/in_var.h>
***************
*** 92,97 ****
--- 95,105 ----
  	int error, type = 0, code = 0;
  	struct mbuf *mcopy = NULL;
  	struct ifnet *origifp;	/* maybe unnecessary */
+ #ifdef PFIL_HOOKS
+ 	struct packet_filter_hook *pfh;
+ 	struct mbuf *m1;
+ 	int rv;
+ #endif /* PFIL_HOOKS */
  #ifdef IPSEC
  	struct secpolicy *sp = NULL;
  #endif
***************
*** 490,495 ****
--- 498,524 ----
  			ip6->ip6_dst.s6_addr16[1] = 0;
  	}
  
+ #ifdef PFIL_HOOKS
+ 	/*
+ 	 * Run through list of hooks for output packets.
+ 	 */
+ 	m1 = m;
+ 	pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
+ 	for (; pfh; pfh = pfh->pfil_link.tqe_next)
+ 		if (pfh->pfil_func) {
+ 			rv = pfh->pfil_func(ip6, sizeof(*ip6),
+ 					    rt->rt_ifp, 1, &m1);
+ 			m = m1;
+ 			if (m == NULL)
+ 				goto freecopy;
+ 			if (rv) {
+ 				error = EHOSTUNREACH;
+ 				goto senderr;
+ 			}
+ 			ip6 = mtod(m, struct ip6_hdr *);
+ 		}
+ #endif /* PFIL_HOOKS */
+ 
  #ifdef OLDIP6OUTPUT
  	error = (*rt->rt_ifp->if_output)(rt->rt_ifp, m,
  					 (struct sockaddr *)dst,
***************
*** 510,515 ****
--- 539,548 ----
  				goto freecopy;
  		}
  	}
+ 
+ #ifdef PFIL_HOOKS
+  senderr:
+ #endif
  	if (mcopy == NULL)
  		return;