NetBSD Problem Report #52536
From www@NetBSD.org Sun Sep 10 11:41:51 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 3AD097A1AF
for <gnats-bugs@gnats.NetBSD.org>; Sun, 10 Sep 2017 11:41:51 +0000 (UTC)
Message-Id: <20170910114150.3ADC27A28C@mollari.NetBSD.org>
Date: Sun, 10 Sep 2017 11:41:50 +0000 (UTC)
From: fstd.lkml@gmail.com
Reply-To: fstd.lkml@gmail.com
To: gnats-bugs@NetBSD.org
Subject: ipfilter regression in 8.0_BETA due to double-ntohl
X-Send-Pr-Version: www-1.0
>Number: 52536
>Category: kern
>Synopsis: ipfilter regression in 8.0_BETA due to double-ntohl
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: christos
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 10 11:45:00 +0000 2017
>Closed-Date: Sat Sep 23 17:36:03 +0000 2017
>Last-Modified: Sat Sep 23 17:36:03 +0000 2017
>Originator: Timo Buhrmester
>Release: 8.0_BETA
>Organization:
>Environment:
NetBSD lemon.pr0.tips 8.0_BETA NetBSD 8.0_BETA (LEMONKERN) #2: Mon Sep 4 21:28:49 CEST 2017 build@grapefruit.pr0.tips:/usr/obj/sys/arch/i386/compile/LEMONKERN i386
>Description:
> Module Name: src
> Committed By: christos
> Date: Fri Aug 5 09:06:52 UTC 2016
>
> Modified Files:
> src/sys/external/bsd/ipf/netinet: fil.c
>
> Log Message:
> partial sync with FreeBSD
This commit made the following change to src/sys/external/bsd/ipf/netinet/fil.c:
@@ -1685,7 +1709,7 @@ ipf_pr_ipv4hdr(fr_info_t *fin)
fin->fin_crc += fi->fi_saddr;
fi->fi_daddr = ip->ip_dst.s_addr;
fin->fin_crc += fi->fi_daddr;
- if (IN_CLASSD(fi->fi_daddr))
+ if (IN_CLASSD(ntohl(fi->fi_daddr)))
fin->fin_flx |= FI_MULTICAST|FI_MBCAST;
/*
Since NetBSD's IN_CLASSD differs from FreeBSD's, IP addresses are effectively compared backwards. An address like e.g. 192.168.1.233 will be considered multicast because it /ends/ in 233.
Apparently (just guessing at this point), ipfilter doesn't keep state on multicast packets, so connectivity to addresses that are "backwards" multicast addresses is effectively broken in a whitelisting ipf setup.
>How-To-Repeat:
Run 8.0_BETA, have whitelisting ipfilter, allow (with keep state) a tcp connection to an address that is the wrong byte-order version of a multicast address, try to netcat to that host. see 'mcast' in ipmon.
>Fix:
Reverting the mentioned hunk (not the whole commit) resolves the problem on my packet filter.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->christos
Responsible-Changed-By: maya@NetBSD.org
Responsible-Changed-When: Tue, 12 Sep 2017 20:25:05 +0000
Responsible-Changed-Why:
Over to committer
State-Changed-From-To: open->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Sat, 23 Sep 2017 17:36:03 +0000
State-Changed-Why:
fixed. thanks!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.