Max Laier has problems getting Email through the OpenBSD MX, so I am
forwarding this for him.
- Marc Balmer
Von: Max Laier <[email protected]>
Datum: 20. August 2009 17:33:24 GMT+02:00
An: [email protected]
Betreff: Fwd: PF fix.
The problem Pawel discovered (s.b.) still exists in OpenBSD current.
I sent
Pawel's analysis to Henning and Ryan yesterday, but since I haven't
heard back
yet, I'm guessing summer holidays. So could somebody take a look?
The patch
is against FreeBSD, but should apply with a bit of fuzz and -p3 in
OpenBSD
src/sys just as well. Thanks.
---------- Forwarded Message ----------
Subject: PF fix.
Date: Wednesday 19 August 2009
From: Pawel Jakub Dawidek <[email protected]>
To: [email protected]
Hi.
I just found a bug in PF where the order of arguments for memcpy() is
messed up. If you have rule like this:
pass on net1 from (net0) to any
And more than 64 aliases on net0, this will fail.
I also changed pfi_buffer_cnt to pfi_buffer_max, because the if
statement suggests that pfi_buffer_cnt can be greater than
pfi_buffer_max. If that would be true ten we would try to copy too much.
Although from looking at the code I don't believe this is possible.
The patch is here:
http://people.freebsd.org/~pjd/patches/pf_if.c.patch
--
Pawel Jakub Dawidek http://www.wheel.pl
[email protected] http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------------------------------------------------
--- sys/contrib/pf/net/pf_if.c (wersja 196288)
+++ sys/contrib/pf/net/pf_if.c (kopia robocza)
@@ -663,7 +663,7 @@ pfi_address_add(struct sockaddr *sa, int af, int n
"(%d/%d)\n", pfi_buffer_cnt, PFI_BUFFER_MAX);
return;
}
- memcpy(pfi_buffer, p, pfi_buffer_cnt * sizeof(*pfi_buffer));
+ memcpy(p, pfi_buffer, pfi_buffer_max * sizeof(*pfi_buffer));
/* no need to zero buffer */
free(pfi_buffer, PFI_MTYPE);
pfi_buffer = p;
--
/"\ Best regards, | [email protected]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mla...@efnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
