Bug 24248
| Summary: | Broken getsockopt(IPV6_FW_GET) with IPv6 Firewall on FreeBSD 4.1-STABLE and 4.2-STABLE locks system | ||
|---|---|---|---|
| Product: | Base System | Reporter: | simon <simon> |
| Component: | kern | Assignee: | Hajimu UMEMOTO <ume> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.1-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-bugs->ume I'll take a look this pr. State Changed From-To: open->feedback I just commited the fix: http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ip6fw/ip6fw.c.diff?r1=1.1&r2=1.2 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c.diff?r1=1.22&r2=1.23 I'd like to hear the result. There are too much changes in src/sys/netinet6/ip6_output.c (for example new #included opt_pfil_hooks.h file) so I can't test changes on my FreeBSD 4.2-STABLE and haven't opportunity to install FreeBSD CURRENT. Sorry, but I can't check if it works on 4.2-STABLE. Hi, >>>>> On Fri, 26 Jan 2001 17:08:58 +0300 >>>>> "Andrey Simonenko" <simon@comsys.ntu-kpi.kiev.ua> said: simon> There are too much changes in src/sys/netinet6/ip6_output.c (for example new simon> #included opt_pfil_hooks.h file) so I can't test changes on my FreeBSD simon> 4.2-STABLE and haven't opportunity to install FreeBSD CURRENT. Sorry, but I simon> can't check if it works on 4.2-STABLE. You can just apply the patch obtained by following URL to your 4.2-STABLE source: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c.diff?r1=1.22&r2=1.23 -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ I applied your patch to FreeBSD 4.2-STABLE and didn't find any problems described in this PR. Thanks. State Changed From-To: feedback->closed Thank you for your report. I'll MFC it later. |
INET6 and IPv6 Firewall support is added to kernel. If I called getsockopt(sd, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes); and "bytes" isn't enough to hold whole IPv6 Firewall table in "rules", then next call or sometime just one call of such function will lock, block system. Keyboard works, but I can just switch consoles and can't ping my system over the network. This is simple test for this bug. Let's create shell script: ============================================================================ #!/bin/sh i=1 while [ ${i} -lt 1100 ] ; do ip6fw -q add ${i} allow all from any to any i=`expr ${i} + 1` done ============================================================================ This scripts create 1100 rules + 1 rule for IPv6 Firewall (+1 for default rule). If we run # ip6fw l then whole system will be blocked (sometimes I have to run this command more then one time). Let's look at source for it /usr/src/sbin/ip6fw/ip6fw.c. In function void list(ac, av) int ac; char **av; { struct ip6_fw *r; struct ip6_fw rules[1024]; int l,i; unsigned long rulenum; int bytes; /* extract rules from kernel */ memset(rules,0,sizeof rules); bytes = sizeof rules; i = getsockopt(s, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes); "rules" array can hold just 1024 rules and wee have 1100 rules. Fix: Change size of "rules" to 65536 in following function in /usr/src/sbin/ip6fw/ip6fw.c (really kernel should be patched as I understand): void list(ac, av) int ac; char **av; { struct ip6_fw *r; struct ip6_fw rules[65536]; How-To-Repeat: Don't know how to repeat bug with getsockopt(). I think that problem is in function ip6_ctloutput() in /usr/src/sys/netinet6/ip6_output.c. After "case IPV6_FW_GET" soopt_mcopyout() function is called and it doesn't check availble size of buffer passed to getsockopt(). Function like this but for IPv4 Firewall check size of buffer passed to getsockopt() and there evrything is correct. ip6fw can be simple fixed, but following change is only fast patch and really IPv6 Firewall should be fixed somewhere in kernel, as I understood.