mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-12 14:29:28 +00:00
Code Issues Releases Activity

Fix an incredibly horrible bug in the ipfw code

Browse Source 
where if you are using the "reset tcp" firewall command,
the kernel would write ethernet headers onto random kernel stack locations.

Fought to the death by: terry, julian, archie.
fix valid for 2.2 series as well.
This commit is contained in:
Julian Elischer 1997-12-19 03:36:15 +00:00
parent a5f4cd5623
commit 45d6875df6
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=31848
3 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sys/netinet/ip_fw.c
View File

@ -12,7 +12,7 @@
*
* This software is provided ``AS IS'' without any warranties of any kind.
*
* $Id: ip_fw.c,v 1.64 1997/10/12 20:25:25 phk Exp $
* $Id: ip_fw.c,v 1.65 1997/11/05 20:17:19 joerg Exp $
*/
/*
@ -577,23 +577,24 @@ ip_fw_chk(struct ip **pip, int hlen,
{
struct tcphdr *const tcp =
(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
struct tcpiphdr ti;
struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
if (offset != 0 || (tcp->th_flags & TH_RST))
break;
ti.ti_i = *((struct ipovly *) ip);
ti.ti_t = *tcp;
NTOHL(ti.ti_seq);
NTOHL(ti.ti_ack);
ti.ti_len = ip->ip_len - hlen - (ti.ti_off << 2);
bcopy(&ti, ip, sizeof(ti));
NTOHL(tip->ti_seq);
NTOHL(tip->ti_ack);
tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2);
if (tcp->th_flags & TH_ACK) {
tcp_respond(NULL, &ti, *m,
tcp_respond(NULL, tip, *m,
(tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
} else {
if (tcp->th_flags & TH_SYN)
ti.ti_len++;
tcp_respond(NULL, &ti, *m, ti.ti_seq
+ ti.ti_len, (tcp_seq)0, TH_RST|TH_ACK);
tip->ti_len++;
tcp_respond(NULL, tip, *m, tip->ti_seq
+ tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK);
}
*m = NULL;
break;

4
sys/netinet/tcp_subr.c
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
* $Id: tcp_subr.c,v 1.38 1997/09/16 18:36:06 joerg Exp $
* $Id: tcp_subr.c,v 1.39 1997/10/28 15:58:53 bde Exp $
*/
#include "opt_tcpdebug.h"
@ -164,6 +164,8 @@ tcp_template(tp)
*
* In any case the ack and sequence number of the transmitted
* segment are as specified by the parameters.
*
* NOTE: If m != NULL, then ti must point to *inside* the mbuf.
*/
void
tcp_respond(tp, ti, m, ack, seq, flags)

4
sys/netinet/tcp_timewait.c
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
* $Id: tcp_subr.c,v 1.38 1997/09/16 18:36:06 joerg Exp $
* $Id: tcp_subr.c,v 1.39 1997/10/28 15:58:53 bde Exp $
*/
#include "opt_tcpdebug.h"
@ -164,6 +164,8 @@ tcp_template(tp)
*
* In any case the ack and sequence number of the transmitted
* segment are as specified by the parameters.
*
* NOTE: If m != NULL, then ti must point to *inside* the mbuf.
*/
void
tcp_respond(tp, ti, m, ack, seq, flags)