NetBSD Problem Report #52536

From www@NetBSD.org  Sun Sep 10 11:41:51 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 3AD097A1AF
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 10 Sep 2017 11:41:51 +0000 (UTC)
Message-Id: <20170910114150.3ADC27A28C@mollari.NetBSD.org>
Date: Sun, 10 Sep 2017 11:41:50 +0000 (UTC)
From: fstd.lkml@gmail.com
Reply-To: fstd.lkml@gmail.com
To: gnats-bugs@NetBSD.org
Subject: ipfilter regression in 8.0_BETA due to double-ntohl
X-Send-Pr-Version: www-1.0

>Number:         52536
>Category:       kern
>Synopsis:       ipfilter regression in 8.0_BETA due to double-ntohl
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    christos
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 10 11:45:00 +0000 2017
>Closed-Date:    Sat Sep 23 17:36:03 +0000 2017
>Last-Modified:  Sat Sep 23 17:36:03 +0000 2017
>Originator:     Timo Buhrmester
>Release:        8.0_BETA
>Organization:
>Environment:
NetBSD lemon.pr0.tips 8.0_BETA NetBSD 8.0_BETA (LEMONKERN) #2: Mon Sep  4 21:28:49 CEST 2017  build@grapefruit.pr0.tips:/usr/obj/sys/arch/i386/compile/LEMONKERN i386
>Description:
> Module Name:  src
> Committed By: christos
> Date:         Fri Aug  5 09:06:52 UTC 2016
>
> Modified Files:
>       src/sys/external/bsd/ipf/netinet: fil.c
>                                         
> Log Message:                            
> partial sync with FreeBSD                 
This commit made the following change to src/sys/external/bsd/ipf/netinet/fil.c:
@@ -1685,7 +1709,7 @@ ipf_pr_ipv4hdr(fr_info_t *fin)
        fin->fin_crc += fi->fi_saddr;
        fi->fi_daddr = ip->ip_dst.s_addr;
        fin->fin_crc += fi->fi_daddr;
-       if (IN_CLASSD(fi->fi_daddr))
+       if (IN_CLASSD(ntohl(fi->fi_daddr)))
                fin->fin_flx |= FI_MULTICAST|FI_MBCAST;

        /*

Since NetBSD's IN_CLASSD differs from FreeBSD's, IP addresses are effectively compared backwards.  An address like e.g. 192.168.1.233 will be considered multicast because it /ends/ in 233.

Apparently (just guessing at this point), ipfilter doesn't keep state on multicast packets, so connectivity to addresses that are "backwards" multicast addresses is effectively broken in a whitelisting ipf setup.
>How-To-Repeat:
Run 8.0_BETA, have whitelisting ipfilter, allow (with keep state) a tcp connection to an address that is the wrong byte-order version of a multicast address, try to netcat to that host.  see 'mcast' in ipmon.
>Fix:
Reverting the mentioned hunk (not the whole commit) resolves the problem on my packet filter.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->christos
Responsible-Changed-By: maya@NetBSD.org
Responsible-Changed-When: Tue, 12 Sep 2017 20:25:05 +0000
Responsible-Changed-Why:
Over to committer


State-Changed-From-To: open->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Sat, 23 Sep 2017 17:36:03 +0000
State-Changed-Why:
fixed. thanks!


>Unformatted:

Home	PR Database Search