Bug 25107

Summary: natd (and others?) segfault caused by error in libalias
Product: Base System Reporter: jcole <jcole>
Component: miscAssignee: ru <ru>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.1-RELEASE   
Hardware: Any   
OS: Any   

Description jcole 2001-02-15 06:20:01 UTC 
line 2622 of alias_db.c in libalias declares a varable to hold "The first firewall entry free for our use" when poking holes in the firewall for ftp data and irc dcc connections.  It's declared as int.  FreeBSD's ipfw firewall uses rule numbers up to 65535, so this variable should be declared as unsigned int.  When natd is set up to use this feature and the firewall "base" number is greater than 32767, natd happily segfaults when an ftp data connection is natted, and natd tries to generate the firewall hole.  I'm sure other software based on libalias is affected.

Fix: 

Change line 2622 of alias_db.c to read "unsigned int" instead of "int".  Note also that natd uses an unsigned int internally and when passing the base value to libalias routines.
How-To-Repeat: Simply fire up natd with the -punch_fw basenumber:count option and the basenumber set greater than 32767 and try and establish an ftp data connection through the nat.
Comment 1 Brian Somers 2001-02-16 00:42:40 UTC 
> >Number:         25107
> >Category:       misc
> >Synopsis:       natd (and others?) segfault caused by error in libalias
[.....]
> >Description:
> line 2622 of alias_db.c in libalias declares a varable to hold "The first firewall entry free for our use" when poking holes in the firewall for ftp data and irc dcc connections.  It's declared as int.  FreeBSD's ipfw firewall uses rule numbers up to 65535, so this variable should be declared as unsigned int.  When natd is set up to use this feature and the firewall "base" number is greater than 32767, natd happily segfaults when an ftp data connection is natted, and natd tries to generate the firewall h ole.  I'm sure other software based on libalias is affected.

I'm a little confused here.  An int is 32 bits - maxint is just above 
2,000,000,000.  I don't understand what's wrapping at 32768...

> >How-To-Repeat:
> Simply fire up natd with the -punch_fw basenumber:count option and the basenumber set greater than 32767 and try and establish an ftp data connection through the nat.
> >Fix:
> Change line 2622 of alias_db.c to read "unsigned int" instead of "int".  Note also that natd uses an unsigned int internally and when passing the base value to libalias routines.

This looks dangerous.  Just paging down the code a bit shows things 
like fireWallNumNums and fileWallActiveNum should also probably be 
unsigned.  This also implies that ``fwhole'' (local and in struct 
tcp_dat) should be unsigned - but that breaks in at least one place 
(namely the ``if (fwhole < 0)'' bit in ClearFWHole().

I'm not saying that your suggestion is wrong, but that it looks a bit 
dangerous to me :-/

-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
Comment 2 ru freebsd_committer freebsd_triage 2001-02-27 08:09:55 UTC 
State Changed
From-To: open->closed

This bug was fixed in 4.1-STABLE, libalias/alias_db.c,v 1.21.2.6. 
And it was a different reason.
Comment 3 ru freebsd_committer freebsd_triage 2001-02-27 08:09:55 UTC 
Responsible Changed
From-To: freebsd-bugs->ru

I am the maintainer of natd(8).