From alex@zen.nash.org  Mon May 27 18:51:04 1996
Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA19808;
          Mon, 27 May 1996 18:50:42 -0700 (PDT)
Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id UAA00816; Mon, 27 May 1996 20:50:13 -0500 (CDT)
Message-Id: <199605280150.UAA00816@zen.nash.org>
Date: Mon, 27 May 1996 20:50:13 -0500 (CDT)
From: Alex Nash <alex@zen.nash.org>
Reply-To: nash@mcs.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: phk@freebsd.org
Subject: IPFW: prevent deletion of default policy
X-Send-Pr-Version: 3.2

>Number:         1267
>Category:       kern
>Synopsis:       Kernel allows deletion of default policy entry
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    alex
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 27 19:00:04 PDT 1996
>Closed-Date:    Sun Jun 9 16:50:15 PDT 1996
>Last-Modified:  Sun Jun  9 16:50:27 PDT 1996
>Originator:     Alex Nash
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
>Environment:

2.1.0-STABLE/CURRENT running IPFW.

>Description:

The kernel allows the default policy (chain entry 65535) to be
deleted when it should not.

>How-To-Repeat:

# ipfw del 65535
# ipfw l

>Fix:

NOTE: These diffs are against those submitted in kern/1219.  
      The version numbers do not correspond to those in the FreeBSD 
      CVS tree.

The fix consists of a single line change to line 541.  The other
diffs are part of a work in progress:

   - Formatting fix (from my style->BSD)
   - Undocumented feature: disallow IPFW manipulation when 
     securelevel > 2.



Index: ip_fw.c
===================================================================
RCS file: /home/alex/cvs/sys/netinet/ip_fw.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -c -r1.3 -r1.4
*** ip_fw.c	1996/05/19 18:31:09	1.3
--- ip_fw.c	1996/05/28 01:15:27	1.4
***************
*** 11,17 ****
   *
   * This software is provided ``AS IS'' without any warranties of any kind.
   *
!  *	$Id: ip_fw.c,v 1.3 1996/05/19 18:31:09 alex Exp $
   */
  
  /*
--- 11,17 ----
   *
   * This software is provided ``AS IS'' without any warranties of any kind.
   *
!  *	$Id: ip_fw.c,v 1.4 1996/05/28 01:15:27 alex Exp $
   */
  
  /*
***************
*** 538,544 ****
  	s = splnet();
  
  	fcp = chainptr->lh_first; 
! 	if (fcp->rule->fw_number != (u_short)-1) {
  		for (; fcp; fcp = fcp->chain.le_next) {
  			if (fcp->rule->fw_number == frwl->fw_number) {
  				LIST_REMOVE(fcp, chain);
--- 538,544 ----
  	s = splnet();
  
  	fcp = chainptr->lh_first; 
! 	if (frwl->fw_number != (u_short)-1) {
  		for (; fcp; fcp = fcp->chain.le_next) {
  			if (fcp->rule->fw_number == frwl->fw_number) {
  				LIST_REMOVE(fcp, chain);
***************
*** 578,585 ****
  	 */
  	s = splnet();
  	for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next)
! 		if (!frwl || frwl->fw_number == fcp->rule->fw_number)
! 		{
  			fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0;
  			fcp->rule->timestamp = 0;
  		}
--- 578,584 ----
  	 */
  	s = splnet();
  	for (fcp = ip_fw_chain.lh_first; fcp; fcp = fcp->chain.le_next)
! 		if (!frwl || frwl->fw_number == fcp->rule->fw_number) {
  			fcp->rule->fw_bcnt = fcp->rule->fw_pcnt = 0;
  			fcp->rule->timestamp = 0;
  		}
***************
*** 650,655 ****
--- 649,659 ----
  		return (0);
  	}
  	m = *mm;
+ 	/* only allow get calls if secure mode < 3 */
+ 	if (securelevel > 2) {
+ 		if (m) (void)m_free(m);
+ 		return(EPERM);
+ 	}
  	if (stage == IP_FW_FLUSH) {
  		while (ip_fw_chain.lh_first != NULL && 
  		    ip_fw_chain.lh_first->rule->fw_number != (u_short)-1) {
***************
*** 672,678 ****
  		printf("ip_fw_ctl:  NULL mbuf ptr\n");
  		return (EINVAL);
  	}
- 
  	if (stage == IP_FW_ADD || stage == IP_FW_DEL) {
  		struct ip_fw *frwl = check_ipfw_struct(m);
  
--- 676,681 ----
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->alex 
Responsible-Changed-By: alex 
Responsible-Changed-When: Wed May 29 16:40:31 PDT 1996 
Responsible-Changed-Why:  
I now have a chance to fix the things I complained about :) 
State-Changed-From-To: open->closed 
State-Changed-By: alex 
State-Changed-When: Sun Jun 9 16:50:15 PDT 1996 
State-Changed-Why:  
Changes entered into -current under the following versions: 

src/sbin/ipfw.c:         1.25 
src/sys/netinet/ip_fw.c: 1.37 
src/sys/netinet/ip_fw.h: 1.20 

>Unformatted:
