From dierk@blaxxtarz.de  Sun Jan 20 03:02:46 2008
Return-Path: <dierk@blaxxtarz.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D214316A418
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 20 Jan 2008 03:02:46 +0000 (UTC)
	(envelope-from dierk@blaxxtarz.de)
Received: from smtprelay12.ispgateway.de (smtprelay12.ispgateway.de [80.67.29.29])
	by mx1.freebsd.org (Postfix) with ESMTP id 7561B13C447
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 20 Jan 2008 03:02:46 +0000 (UTC)
	(envelope-from dierk@blaxxtarz.de)
Received: from [88.74.88.70] (helo=maxx.evangelion.free)
	by smtprelay12.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.68)
	(envelope-from <dierk@blaxxtarz.de>)
	id 1JGOlL-0005WS-9F
	for FreeBSD-gnats-submit@freebsd.org; Sun, 20 Jan 2008 02:14:15 +0100
Received: from [192.168.123.1] (helo=blaxxtarz.evangelion.free)
	by maxx.evangelion.free with esmtps (Exim 4.69 #0 (Unix))
	id 1JGOkw-000Mcc-Sk
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 20 Jan 2008 02:13:50 +0100
Received: from blaxxtarz.evangelion.free (localhost [127.0.0.1])
	by blaxxtarz.evangelion.free (8.13.8/8.13.8) with ESMTP id m0K1Domi096625
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 20 Jan 2008 02:13:50 +0100 (CET)
	(envelope-from dierk@blaxxtarz.evangelion.free)
Received: (from dierk@localhost)
	by blaxxtarz.evangelion.free (8.13.8/8.13.8/Submit) id m0K1DngK096624;
	Sun, 20 Jan 2008 02:13:49 +0100 (CET)
	(envelope-from dierk)
Message-Id: <200801200113.m0K1DngK096624@blaxxtarz.evangelion.free>
Date: Sun, 20 Jan 2008 02:13:49 +0100 (CET)
From: Dierk Sacher <usenet01@blaxxtarz.de>
Reply-To: Dierk Sacher <usenet01@blaxxtarz.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfw - incorrect handling of missing arguments - segfault
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         119815
>Category:       bin
>Synopsis:       [ipfw] [patch] incorrect handling of missing arguments - segfault
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 20 03:10:00 UTC 2008
>Closed-Date:    Tue Feb 26 09:31:46 UTC 2008
>Last-Modified:  Tue Feb 26 09:31:46 UTC 2008
>Originator:     Dierk Sacher
>Release:        FreeBSD 7.0-RC1 i386
>Organization:
DSITC
>Environment:
System: FreeBSD voxx.evangelion.free 7.0-RC1 FreeBSD 7.0-RC1 #3: Sun Jan 20 00:44:35 CET 2008     root@voxx.evangelion.free:/usr/obj/usr/src/sys/VOXX  i386


>Description:
ipfw does improper input validation on the interface argument to the nat
config if parameter.

If you leave it out, ipfw will segfault because no check for ac == 0 is
done in the TOK_IF: case (as is done for the ip).

	
>How-To-Repeat:
issue the following commands on a machine with the new IPFIREWALL_NAT Feature turned on:

1. Configure a nat rule (e.g.: ipfw add 100 nat 1 ip from any to any via rl0)
2. Issue the _wrong_ command (intentionally leaving out the interface
   argument): ipfw nat 1 config if 

ipfw will segfault and dump core.




>Fix:
see patch against ipfw2.c

--- ipfw2.c.orig        2008-01-20 01:57:47.000000000 +0100
+++ ipfw2.c     2008-01-20 01:57:53.000000000 +0100
@@ -3994,6 +3994,8 @@
                        ac--; av++;
                        break;      
                case TOK_IF:
+                       if (ac == 0) 
+                               errx(EX_DATAERR, "missing option");
                        set_addr_dynamic(av[0], n);
                        ac--; av++;
                        break;


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jan 20 03:43:54 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119815 
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Sun Jan 20 08:31:47 UTC 2008 
State-Changed-Why:  
Fixed in HEAD.  Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119815 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/119815: commit references a PR
Date: Sun, 20 Jan 2008 08:31:41 +0000 (UTC)

 maxim       2008-01-20 08:31:35 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/ipfw            ipfw2.c 
   Log:
   o Fix ipfw(8) command line parser bug: "ipfw nat 1 config if"                   requires an argument.
   
   PR:             bin/119815
   Submitted by:   Dierk Sacher
   MFC after:      1 week
   
   Revision  Changes    Path
   1.112     +2 -0      src/sbin/ipfw/ipfw2.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Tue Feb 26 09:31:27 UTC 2008 
State-Changed-Why:  
Merged to RELENG_7. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119815 
>Unformatted:
