After having updated to July 21 sources, ipfw complains when adding firewall rules: ``ipfw: getsockopt(IP_FW_ADD): Bad address''. ipfw is loaded as a module in rc.firewall. Relevant rc.firewall, rc.conf and KERNCONF bits follow. Fix: Unknown. How-To-Repeat: == Relevant rc.firewall bits == [Cc][Ll][Ii][Ee][Nn][Tt]) ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. ############ # set these to your network and netmask and ip net="130.89.191.255" mask="255.255.224.0" ip="130.89.187.236" setup_loopback # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming secure shells ${fwcmd} add pass tcp from any to ${ip} 22 setup # Allow setup of incoming email #${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow setup of incoming HTTP connections ${fwcmd} add pass tcp from any to ${ip} 80 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${ip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${ip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; == Relevant rc.conf bits == hostname="stud187236.mobiel.utwente.nl" ifconfig_hme0="inet 130.89.187.236 netmask 255.255.224.0" defaultrouter="130.89.160.1" firewall_enable="YES" firewall_type="client" == E250 KERNCONF == machine sparc64 cpu SUN4U ident E250 options OFW_NEWPCI options SCHED_4BSD #4BSD scheduler options INET #InterNETworking options FFS #Berkeley Fast Filesystem options SOFTUPDATES #Enable FFS soft updates support options UFS_DIRHASH #Improve performance on big directories options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=5000 #Delay (in ms) before probing SCSI options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores #options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions # Standard busses device ebus device pci # SCSI Controllers device sym # NCR/Symbios Logic (newer chipsets + those of `ncr') # SCSI peripherals device scbus # SCSI bus (required) device da # Direct Access (disks) device cd # CD device ofw_console # OpenBoot firmware console device # Builtin hardware device genclock # Generic clock interface device eeprom # eeprom (really an ebus driver for the MK48Txx) device "mk48txx" # Mostek MK48T02, MK48T08, MK48T59 clock # PCI Ethernet NICs that use the common MII bus controller code. device miibus # MII bus support device hme # Sun HME (Happy Meal Ethernet) # Pseudo devices - the number indicates how many units to allocated. device random # Entropy device device loop # Network loopback device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! device bpf #Berkeley packet filter # RANDOM_IP_ID causes the ID field in IP packets to be randomized # instead of incremented by 1 with each packet generated. This # option closes a minor information leak which allows remote # observers to determine the rate of packet generation on the # machine by watching the counter. options RANDOM_IP_ID # Statically Link in accept filters options ACCEPT_FILTER_HTTP
And ``ifconfig``: hme0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 130.89.187.236 netmask 0xffffe000 broadcast 130.89.191.255 ether 08:00:20:cf:c0:1b media: Ethernet autoselect (100baseTX) status: active hme1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 ether 08:00:20:cf:c0:1b media: Ethernet autoselect lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000
On Mon, Jul 21, 2003 at 04:53:02PM +0200, Roderick van Domburg wrote: > After having updated to July 21 sources, ipfw complains when adding > firewall rules: ``ipfw: getsockopt(IP_FW_ADD): Bad address''. > > ipfw is loaded as a module in rc.firewall. Relevant rc.firewall, > rc.conf and KERNCONF bits follow. You rebuilt ipfw.ko after updating your sources, right? Kris
Adding to audit trail ----- Forwarded message from Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl> ----- X-Original-To: kkenn@localhost Delivered-To: kkenn@localhost.obsecurity.org X-Originating-IP: [80.67.173.6] X-Header-Overseas: Mail.from.Overseas.source.80.67.173.6 From: "Roderick van Domburg" <r.s.a.vandomburg@student.utwente.nl> To: "'Kris Kennaway'" <kris@obsecurity.org> Subject: RE: sparc64/54712: ``ipfw: getsockopt(IP_FW_ADD): Bad address'' on sparc64 Date: Tue, 22 Jul 2003 00:27:41 +0200 Organization: University of Twente X-Mailer: Microsoft Office Outlook, Build 11.0.5329 In-Reply-To: <20030721215354.GA441@rot13.obsecurity.org> Thread-Index: AcNP0psTjrSeHt9VRcecY54mnmXctQABI6bQ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 X-UTwente-MailScanner: Found to be clean X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.13.7.2 Right, I built and installed both world and kernel. ----- End forwarded message -----
Responsible Changed From-To: freebsd-sparc64->luigi Assign to ipfw maintainer
On Mon, 2003/07/21 at 16:53:02 +0200, Roderick van Domburg wrote: > > >Number: 54712 > >Category: sparc64 > >Synopsis: ``ipfw: getsockopt(IP_FW_ADD): Bad address'' on sparc64 > >Confidential: no > >Severity: critical > >Priority: medium > >Responsible: freebsd-sparc64 > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Mon Jul 21 08:00:31 PDT 2003 > >Closed-Date: > >Last-Modified: > >Originator: Roderick van Domburg > >Release: FreeBSD 5.1-CURRENT sparc64 > >Organization: > University of Twente > >Environment: > System: FreeBSD stud187236.mobiel.utwente.nl 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Mon Jul 21 16:15:59 CEST 2003 roderick@stud187236.mobiel.utwente.nl:/usr/obj/usr/src/sys/E250 sparc64 > > > > >Description: > > After having updated to July 21 sources, ipfw complains when adding > firewall rules: ``ipfw: getsockopt(IP_FW_ADD): Bad address''. This was broken by the recent changes to src/sbin/ipfw, which added the do_cmd() function. The third argument to this function is a socklen_t, which is however used to in fact pass a pointer to a socklen_t in some cases. socklen_t is always an unsigned 32-bit integer, and is therefore not guaranteed to be large enough to hold a pointer. If such tricks are going to be used, the third argument should be changed to an uintptr_t (which the attached somewhat quick and dirty patch does); it would probably be better to redesign the do_cmd() interface to avoid this though. - Thomas -- Thomas Moestl <t.moestl@tu-bs.de> http://www.tu-bs.de/~y0015675/ <tmm@FreeBSD.org> http://people.FreeBSD.org/~tmm/ PGP fingerprint: 1C97 A604 2BD0 E492 51D0 9C0F 1FE6 4F1D 419C 776C Index: ipfw2.c =================================================================== RCS file: /vol/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.38 diff -u -r1.38 ipfw2.c --- ipfw2.c 21 Jul 2003 09:56:05 -0000 1.38 +++ ipfw2.c 21 Jul 2003 23:42:21 -0000 @@ -363,7 +363,7 @@ * conditionally runs the command. */ static int -do_cmd(int optname, void *optval, socklen_t optlen) +do_cmd(int optname, void *optval, uintptr_t optlen) { static int s = -1; /* the socket */ int i; @@ -1556,7 +1556,7 @@ nbytes = sizeof(struct ip_fw); if ((data = calloc(1, nbytes)) == NULL) err(EX_OSERR, "calloc"); - if (do_cmd(IP_FW_GET, data, (socklen_t)&nbytes) < 0) + if (do_cmd(IP_FW_GET, data, (uintptr_t)&nbytes) < 0) err(EX_OSERR, "getsockopt(IP_FW_GET)"); bcopy(&((struct ip_fw *)data)->next_rule, &set_disable, sizeof(set_disable)); @@ -1701,7 +1701,7 @@ nbytes = nalloc; if ((data = realloc(data, nbytes)) == NULL) err(EX_OSERR, "realloc"); - if (do_cmd(ocmd, data, (socklen_t)&nbytes) < 0) + if (do_cmd(ocmd, data, (uintptr_t)&nbytes) < 0) err(EX_OSERR, "getsockopt(IP_%s_GET)", do_pipe ? "DUMMYNET" : "FW"); } @@ -3493,7 +3493,7 @@ rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd); i = (char *)dst - (char *)rule; - if (do_cmd(IP_FW_ADD, rule, (socklen_t)&i) == -1) + if (do_cmd(IP_FW_ADD, rule, (uintptr_t)&i) == -1) err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD"); if (!do_quiet) show_ipfw(rule, 0, 0);
State Changed From-To: open->closed applied to both -current and RELENG_4, thanks