Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-3]: src/sys/dist/ipf/netinet Pull up revision 1.7 (requested by m...
details: https://anonhg.NetBSD.org/src/rev/3943ef961003
branches: netbsd-3
changeset: 575110:3943ef961003
user: tron <tron%NetBSD.org@localhost>
date: Mon Apr 04 18:25:58 2005 +0000
description:
Pull up revision 1.7 (requested by martti in ticket #106):
Upgraded IPFilter to 4.1.8
diffstat:
sys/dist/ipf/netinet/ip_ftp_pxy.c | 294 ++++++++++++++++++------------------
sys/dist/ipf/netinet/ip_nat.c | 302 +++++++++++++++++++++++++++----------
sys/dist/ipf/netinet/ip_state.c | 225 +++++++++++++++++-----------
3 files changed, 508 insertions(+), 313 deletions(-)
diffs (truncated from 1723 to 300 lines):
diff -r 00cfb0460a1f -r 3943ef961003 sys/dist/ipf/netinet/ip_ftp_pxy.c
--- a/sys/dist/ipf/netinet/ip_ftp_pxy.c Mon Apr 04 18:25:44 2005 +0000
+++ b/sys/dist/ipf/netinet/ip_ftp_pxy.c Mon Apr 04 18:25:58 2005 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: ip_ftp_pxy.c,v 1.6 2005/02/19 21:30:25 martti Exp $ */
+/* $NetBSD: ip_ftp_pxy.c,v 1.6.2.1 2005/04/04 18:25:58 tron Exp $ */
#include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.6 2005/02/19 21:30:25 martti Exp $");
+__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.6.2.1 2005/04/04 18:25:58 tron Exp $");
/*
* Copyright (C) 1997-2003 by Darren Reed
@@ -11,7 +11,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * Id: ip_ftp_pxy.c,v 2.88.2.10 2005/02/04 10:22:54 darrenr Exp
+ * Id: ip_ftp_pxy.c,v 2.88.2.15 2005/03/19 19:38:10 darrenr Exp
*/
#define IPF_FTP_PROXY
@@ -22,14 +22,6 @@
#define IPF_MAX227LEN 51
#define IPF_MIN229LEN 47
#define IPF_MAX229LEN 51
-/*
- * On Unix, a pathname can be upto 256 bytes long, so that must fit in half
- * of the buffer. Why half? Because we allow a message being parsed to
- * start upto half way into the buffer so less arbitrary moving around of
- * data to make messages fit is required. And so, 526 is 2*(4+1+256+2)
- * (XXXX path\r\n)
- */
-#define IPF_FTPBUFSZ 526 /* This *MUST* be >= 53! */
#define FTPXY_GO 0
#define FTPXY_INIT 1
@@ -190,7 +182,7 @@
if (dlen < IPF_MINPORTLEN) {
if (ippr_ftp_debug > 1)
printf("ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n",
- dlen);
+ dlen);
return 0;
}
/*
@@ -212,6 +204,7 @@
printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 2);
return 0;
}
+
/*
* Check that IP address in the PORT/PASV reply is the same as the
* sender of the command - prevents using PORT for port scanning.
@@ -249,8 +242,19 @@
printf("ippr_ftp_port:missing %s\n", "cr-lf");
return 0;
}
+
a5 >>= 8;
a5 &= 0xff;
+ sp = a5 << 8 | a6;
+ /*
+ * Don't allow the PORT command to specify a port < 1024 due to
+ * security crap.
+ */
+ if (sp < 1024) {
+ if (ippr_ftp_debug > 0)
+ printf("ippr_ftp_port:sp(%d) < 1024\n", sp);
+ return 0;
+ }
/*
* Calculate new address parts for PORT command
*/
@@ -277,7 +281,7 @@
if ((inc + ip->ip_len) > 65535) {
if (ippr_ftp_debug > 0)
printf("ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n",
- inc);
+ inc);
return 0;
}
@@ -287,16 +291,16 @@
# if defined(MENTAT)
if (inc < 0)
(void)adjmsg(m, inc);
-# else
+# else /* defined(MENTAT) */
+ /*
+ * m_adj takes care of pkthdr.len, if required and treats inc<0 to
+ * mean remove -len bytes from the end of the packet.
+ * The mbuf chain will be extended if necessary by m_copyback().
+ */
if (inc < 0)
m_adj(m, inc);
-# ifdef M_PKTHDR
- if (!(m->m_flags & M_PKTHDR))
- m->m_pkthdr.len += inc;
-# endif
-# endif
-#endif
- /* the mbuf chain will be extended if necessary by m_copyback() */
+# endif /* defined(MENTAT) */
+#endif /* !defined(_KERNEL) */
COPYBACK(m, off, nlen, newbuf);
if (inc != 0) {
@@ -306,20 +310,6 @@
}
/*
- * Add skeleton NAT entry for connection which will come back the
- * other way.
- */
- sp = a5 << 8 | a6;
- /*
- * Don't allow the PORT command to specify a port < 1024 due to
- * security crap.
- */
- if (sp < 1024) {
- if (ippr_ftp_debug > 0)
- printf("ippr_ftp_port:sp(%d) < 1024\n", sp);
- return 0;
- }
- /*
* The server may not make the connection back from port 20, but
* it is the most likely so use it here to check for a conflicting
* mapping.
@@ -330,6 +320,10 @@
fi.fin_flx |= FI_IGNORE;
fi.fin_data[0] = sp;
fi.fin_data[1] = fin->fin_data[1] - 1;
+ /*
+ * Add skeleton NAT entry for connection which will come back the
+ * other way.
+ */
if (nat->nat_dir == NAT_OUTBOUND)
nat2 = nat_outlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
nat->nat_inip, nat->nat_oip);
@@ -490,7 +484,7 @@
ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {
if (ippr_ftp_debug > 0)
printf("ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n",
- ftp->ftp_side[0].ftps_cmds);
+ ftp->ftp_side[0].ftps_cmds);
return 0;
}
@@ -503,7 +497,7 @@
if (dlen < IPF_MIN227LEN) {
if (ippr_ftp_debug > 1)
printf("ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n",
- dlen);
+ dlen);
return 0;
} else if (strncmp(f->ftps_rptr,
"227 Entering Passive Mod", PASV_REPLEN)) {
@@ -645,20 +639,24 @@
if ((inc + ip->ip_len) > 65535) {
if (ippr_ftp_debug > 0)
printf("ippr_ftp_pasv:inc(%d) + ip->ip_len > 65535\n",
- inc);
+ inc);
return 0;
}
#if !defined(_KERNEL)
- bcopy(newmsg, (char *)m + off, nlen);
+ bcopy(newmsg, MTOD(m, char *) + off, nlen);
#else
# if defined(MENTAT)
if (inc < 0)
(void)adjmsg(m, inc);
# else /* defined(MENTAT) */
+ /*
+ * m_adj takes care of pkthdr.len, if required and treats inc<0 to
+ * mean remove -len bytes from the end of the packet.
+ * The mbuf chain will be extended if necessary by m_copyback().
+ */
if (inc < 0)
m_adj(m, inc);
- /* the mbuf chain will be extended if necessary by m_copyback() */
# endif /* defined(MENTAT) */
#endif /* !defined(_KERNEL) */
COPYBACK(m, off, nlen, newmsg);
@@ -832,18 +830,23 @@
char *buf;
size_t len;
{
- register char *s, c;
+ register char *s, c, pc;
register size_t i = len;
char cmd[5];
+ s = buf;
+
+ if (ftps->ftps_junk == 1)
+ return 1;
+
if (i < 5) {
if (ippr_ftp_debug > 3)
printf("ippr_ftp_client_valid:i(%d) < 5\n", (int)i);
return 2;
}
- s = buf;
+
+ i--;
c = *s++;
- i--;
if (ISALPHA(c)) {
cmd[0] = TOUPPER(c);
@@ -872,15 +875,17 @@
} else {
bad_client_command:
if (ippr_ftp_debug > 3)
- printf("ippr_ftp_client_valid:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
- ftps->ftps_junk, (int)len, (int)i, c,
- (int)len, (int)len, buf);
+ printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
+ "ippr_ftp_client_valid",
+ ftps->ftps_junk, (int)len, (int)i, c,
+ (int)len, (int)len, buf);
return 1;
}
for (; i; i--) {
+ pc = c;
c = *s++;
- if (c == '\n') {
+ if ((pc == '\r') && (c == '\n')) {
cmd[4] = '\0';
if (!strcmp(cmd, "PASV"))
ftps->ftps_cmds = FTPXY_C_PASV;
@@ -890,7 +895,8 @@
}
}
#if !defined(_KERNEL)
- printf("ippr_ftp_client_valid:junk after cmd[%s]\n", buf);
+ printf("ippr_ftp_client_valid:junk after cmd[%*.*s]\n",
+ (int)len, (int)len, buf);
#endif
return 2;
}
@@ -901,17 +907,24 @@
char *buf;
size_t len;
{
- register char *s, c;
+ register char *s, c, pc;
register size_t i = len;
int cmd;
- if (i < 5)
+ s = buf;
+ cmd = 0;
+
+ if (ftps->ftps_junk == 1)
+ return 1;
+
+ if (i < 5) {
+ if (ippr_ftp_debug > 3)
+ printf("ippr_ftp_servert_valid:i(%d) < 5\n", (int)i);
return 2;
- s = buf;
+ }
+
c = *s++;
- cmd = 0;
i--;
-
if (c == ' ')
goto search_eol;
@@ -936,22 +949,24 @@
} else {
bad_server_command:
if (ippr_ftp_debug > 3)
- printf("ippr_ftp_server_valid:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
- ftps->ftps_junk, (int)len, (int)i,
- c, (int)len, (int)len, buf);
+ printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
+ "ippr_ftp_server_valid",
+ ftps->ftps_junk, (int)len, (int)i,
+ c, (int)len, (int)len, buf);
return 1;
}
search_eol:
for (; i; i--) {
+ pc = c;
c = *s++;
- if (c == '\n') {
+ if ((pc == '\r') && (c == '\n')) {
ftps->ftps_cmds = cmd;
return 0;
}
}
- if (ippr_ftp_debug > 1)
+ if (ippr_ftp_debug > 3)
Home |
Main Index |
Thread Index |
Old Index