kern/41647: ipfilter: ip-sync accesses wrong rule in ipfsync_state

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/41647: ipfilter: ip-sync accesses wrong rule in ipfsync_state
From: Wolfgang.Stukenbrock%nagler-company.com@localhost
Date: Mon, 29 Jun 2009 12:05:00 +0000 (UTC)

>Number:         41647
>Category:       kern
>Synopsis:       ipfilter: ip-sync accesses wrong rule in ipfsync_state
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 29 12:05:00 +0000 2009
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 5.0
>Organization:
Dr. Nagler & Company GmbH
        
>Environment:
        
        
System: NetBSD s012 4.0 NetBSD 4.0 (NSW-S012) #9: Fri Mar 13 12:31:52 CET 2009 
wgstuken@s012:/usr/src/sys/arch/amd64/compile/NSW-S012 amd64
Architecture: x86_64
Machine: amd64
>Description:
        In /usr/sys/sys/dist/ipf/netinet/ip_sync.c around line 568 the routine 
fr_getrulen() is called
        in order to find "the same rule on the slave as on the master".
        This function is located in /usr/src/sys/dist/ipf/netinet/fil.c around 
line 3442.
        The comment of this function say, that it should return a rule of a 
group - if any.
        But it uses the member fg_head in the group structure, that will point 
to the first rule, that
        defines an entry to the group - this means the first rule with "head 
<n>" in it.
        So it will return a pointer to a rule located in the list where the 
head-entry is in - not
        a pointer to a rule inside of the group!
        So either the comment/description of this routine is wrong or the 
ip_sync code gets a wrong
        pointer. The fr_getrulen() functions is used only in ipfsync_state() 
that itself is used
        only in ipfsync_write() in the whole NetBSD sources. ipfsync_write() 
seems to be a kernel
        function (_KERNEL must be defined).
        A comment above states that this routine is for debugging only - so it 
is possible that this
        issue does harm operation of NetBSD.
        The function ipfsync_write() is used in iplwrite() in 
/usr/src/sys/dist/ipf/netinet/ip_fil_netbsd.c
        if IPFILTER_SYNC is defined - and it looks like that this is an option 
not used in any kernel
        config.
        The same "problem" seems to be in the function fr_rulen(), but that 
functions is not used
        anywhere in the whole source tree (/usr/src). Perhaps that one should 
be disabled via "#if 0".
>How-To-Repeat:
        Seen by a look into the sources while trying to understand  the 
behaviour of group processing.
        We do not use the ip_sync stuff at all as far as my understanding of 
this part of the kernel
        has grown till now.
>Fix:
        depends on the correct behaviour of the code:
        either use fg_start instead of fg_head
        or correct the comment to avoid further confusion.

>Unformatted:

Prev by Date: RE: kern/41597: Load balancing (ECMP) on NetSD 3.1
Next by Date: Re: port-i386/41624: atheros-card works in 4.0 but not in 5.0
Previous by Thread: lib/41645: pthread_cond_timedwait(3) doesn't timeout if NULL is given as abstime argument
Next by Thread: Re: misc/41628 (OpenSSL's c_rehash can't find openssl binary (patch supplied))
Indexes:

Home | Main Index | Thread Index | Old Index