From nobody@FreeBSD.org  Thu Jan 11 02:03:08 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 4D1F137B401
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 11 Jan 2001 02:03:08 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f0BA38o28626;
	Thu, 11 Jan 2001 02:03:08 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200101111003.f0BA38o28626@freefall.freebsd.org>
Date: Thu, 11 Jan 2001 02:03:08 -0800 (PST)
From: simon@simon.org.ua
To: freebsd-gnats-submit@FreeBSD.org
Subject: Broken getsockopt(IPV6_FW_GET) with IPv6 Firewall on FreeBSD 4.1-STABLE and 4.2-STABLE locks system
X-Send-Pr-Version: www-1.0

>Number:         24248
>Category:       kern
>Synopsis:       Broken getsockopt(IPV6_FW_GET) with IPv6 Firewall on FreeBSD 4.1-STABLE and 4.2-STABLE locks system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 11 02:10:03 PST 2001
>Closed-Date:    Mon Jan 29 11:08:41 PST 2001
>Last-Modified:  Mon Jan 29 11:09:49 PST 2001
>Originator:     Andrey Simonenko
>Release:        4.1-STABLE i386, 4.2-STABLE i386
>Organization:
>Environment:
>Description:
INET6 and IPv6 Firewall support is added to kernel. If I called

getsockopt(sd, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes);

and "bytes" isn't enough to hold whole IPv6 Firewall table in "rules", then next call or sometime just one call of such function will lock, block system. Keyboard works, but I can just switch consoles and can't ping my system over the network.

This is simple test for this bug. Let's create shell script:

============================================================================
#!/bin/sh

i=1
while [ ${i} -lt 1100 ] ; do
	ip6fw -q add ${i} allow all from any to any
	i=`expr ${i} + 1`
done
============================================================================

This scripts create 1100 rules + 1 rule for IPv6 Firewall (+1 for default rule).
If we run

# ip6fw l

then whole system will be blocked (sometimes I have to run this command more then one time).

Let's look at source for it /usr/src/sbin/ip6fw/ip6fw.c. In function

void
list(ac, av)
	int	ac;
	char 	**av;
{
	struct ip6_fw *r;
	struct ip6_fw rules[1024];
	int l,i;
	unsigned long rulenum;
	int bytes;

	/* extract rules from kernel */
	memset(rules,0,sizeof rules);
	bytes = sizeof rules;
	i = getsockopt(s, IPPROTO_IPV6, IPV6_FW_GET, rules, &bytes);

"rules" array can hold just 1024 rules and wee have 1100 rules.


>How-To-Repeat:
Don't know how to repeat bug with getsockopt(). I think that problem is in function ip6_ctloutput() in /usr/src/sys/netinet6/ip6_output.c. After "case IPV6_FW_GET" soopt_mcopyout() function is called and it doesn't check availble size of buffer passed to getsockopt(). Function like this but for IPv4 Firewall check size of buffer passed to getsockopt() and there evrything is correct.

ip6fw can be simple fixed, but following change is only fast patch and really IPv6 Firewall should be fixed somewhere in kernel, as I understood.

>Fix:
Change size of "rules" to 65536 in following function in /usr/src/sbin/ip6fw/ip6fw.c (really kernel should be patched as I understand):

void
list(ac, av)
	int	ac;
	char 	**av;
{
	struct ip6_fw *r;
	struct ip6_fw rules[65536];



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ume 
Responsible-Changed-By: ume 
Responsible-Changed-When: Sat Jan 20 07:35:43 PST 2001 
Responsible-Changed-Why:  
I'll take a look this pr. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=24248 
State-Changed-From-To: open->feedback 
State-Changed-By: ume 
State-Changed-When: Sat Jan 20 14:42:58 PST 2001 
State-Changed-Why:  
I just commited the fix: 

http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ip6fw/ip6fw.c.diff?r1=1.1&r2=1.2 
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c.diff?r1=1.22&r2=1.23 

I'd like to hear the result. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=24248 

From: "Andrey Simonenko" <simon@comsys.ntu-kpi.kiev.ua>
To: <freebsd-gnats-submit@FreeBSD.org>, <ume@FreeBSD.org>
Cc:  
Subject: Re: kern/24248: Broken getsockopt(IPV6_FW_GET) with IPv6 Firewall on FreeBSD 4.1-STABLE and 4.2-STABLE locks system
Date: Fri, 26 Jan 2001 17:08:58 +0300

 There are too much changes in src/sys/netinet6/ip6_output.c (for example new
 #included opt_pfil_hooks.h file) so I can't test changes on my FreeBSD
 4.2-STABLE and haven't opportunity to install FreeBSD CURRENT. Sorry, but I
 can't check if it works on 4.2-STABLE.
 
 

From: Hajimu UMEMOTO <ume@FreeBSD.org>
To: simon@comsys.ntu-kpi.kiev.ua
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/24248: Broken getsockopt(IPV6_FW_GET) with IPv6 Firewall
 on FreeBSD 4.1-STABLE and 4.2-STABLE locks system
Date: Sat, 27 Jan 2001 01:41:02 +0900 (JST)

 Hi,
 
 >>>>> On Fri, 26 Jan 2001 17:08:58 +0300
 >>>>> "Andrey Simonenko" <simon@comsys.ntu-kpi.kiev.ua> said:
 
 simon> There are too much changes in src/sys/netinet6/ip6_output.c (for example new
 simon> #included opt_pfil_hooks.h file) so I can't test changes on my FreeBSD
 simon> 4.2-STABLE and haven't opportunity to install FreeBSD CURRENT. Sorry, but I
 simon> can't check if it works on 4.2-STABLE.
 
 You can just apply the patch obtained by following URL to your
 4.2-STABLE source:
 
   http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ip6_output.c.diff?r1=1.22&r2=1.23
 
 --
 Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
 ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
 http://www.imasy.org/~ume/
 

From: "Andrey Simonenko" <simon@comsys.ntu-kpi.kiev.ua>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: kern/24248: Broken getsockopt(IPV6_FW_GET) with IPv6 Firewall on FreeBSD 4.1-STABLE and 4.2-STABLE locks system
Date: Mon, 29 Jan 2001 11:42:37 +0300

 I applied your patch to FreeBSD 4.2-STABLE and didn't find any problems
 described in this PR. Thanks.
 
 
State-Changed-From-To: feedback->closed 
State-Changed-By: ume 
State-Changed-When: Mon Jan 29 11:08:41 PST 2001 
State-Changed-Why:  
Thank you for your report. 
I'll MFC it later. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=24248 
>Unformatted:
