bin/54670: npfctl: bugs related tcp flags

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/54670: npfctl: bugs related tcp flags
From: lfo%ceres.ne.jp@localhost
Date: Fri, 1 Nov 2019 13:15:00 +0000 (UTC)

>Number:         54670
>Category:       bin
>Synopsis:       npfctl: bugs related tcp flags
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 01 13:15:00 +0000 2019
>Originator:     Azuma OKAMOTO
>Release:        6, 7, 8, 9, current
>Organization:
>Environment:
NetBSD gw.home.ceres.ne.jp 9.0_BETA NetBSD 9.0_BETA (GENERIC) #6: Wed Sep 11 21:59:29 JST 2019  root%gw.home.ceres.ne.jp@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
There is no problem in practical use.

1. Ambiguous whether the letter corresponding to tcp flag TH_CWR is 'W' or 'C'

In npf.conf, letter 'W' is interpreted as TH_CWR.

src/usr.sbin/npf/npfctl/npf_data.c
npfctl_parse_tcpflag()
> case 'W': tfl |= TH_CWR; break;

But, 'npfctl show' shows it 'C'.

src/usr.sbin/npf/npfctl/npf_show.c
tcpflags2string()
> if (tfl & TH_CWR)       buf[i++] = 'C';


2. Buffer shortage

The buffer for tcpflags allocated 16 bytes.
src/usr.sbin/npf/npfctl/npf_show.c
print_tcpflags()
> char buf[16];

But, it may be used 17 bytes in the following cases:

FSRPAUE/FSRPAUEW (and trailing \0)
>How-To-Repeat:
Add a rule including 'flags FSRPAUE/FSRPAUEW' in /etc/npf.conf.
Run 'npfctl show'.

(Only 1-byte overrun does not always cause segmentation fault.)
>Fix:

Prev by Date: Re: kern/54669 (uvm kernel assertion failure trying to run netbsd32 binaries)
Next by Date: PR/54670 CVS commit: src/usr.sbin/npf/npfctl
Previous by Thread: Re: kern/54669 (uvm kernel assertion failure trying to run netbsd32 binaries)
Next by Thread: PR/54670 CVS commit: src/usr.sbin/npf/npfctl
Indexes:

Home | Main Index | Thread Index | Old Index