diff options
author | Roman Kurakin <rik@FreeBSD.org> | 2008-09-06 17:26:52 +0000 |
---|---|---|
committer | Roman Kurakin <rik@FreeBSD.org> | 2008-09-06 17:26:52 +0000 |
commit | d53fe7108b68633a804f36b59b9d5ca6957d33b4 (patch) | |
tree | fd0354cf720ca0591266c2ac7c035768b4e39f3e /sbin/natd | |
parent | 433751bb50daa9243c14450825b0b145471c5a92 (diff) | |
download | src-d53fe7108b68633a804f36b59b9d5ca6957d33b4.tar.gz src-d53fe7108b68633a804f36b59b9d5ca6957d33b4.zip |
Check rule numbers against maximum value to avoid rules cleanup due
to overflow.
MFC after: 5 days.
Notes
Notes:
svn path=/head/; revision=182825
Diffstat (limited to 'sbin/natd')
-rw-r--r-- | sbin/natd/natd.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c index 3a5a644c1d51..445077f4fbe0 100644 --- a/sbin/natd/natd.c +++ b/sbin/natd/natd.c @@ -130,6 +130,7 @@ static void SetupPunchFW(const char *strValue); static void SetupSkinnyPort(const char *strValue); static void NewInstance(const char *name); static void DoGlobal (int fd); +static int CheckIpfwRulenum(unsigned int rnum); /* * Globals. @@ -1947,6 +1948,10 @@ SetupPunchFW(const char *strValue) if (sscanf(strValue, "%u:%u", &base, &num) != 2) errx(1, "punch_fw: basenumber:count parameter required"); + if (CheckIpfwRulenum(base + num - 1) == -1) + errx(1, "punch_fw: basenumber:count parameter should fit " + "the maximum allowed rule numbers"); + LibAliasSetFWBase(mla, base, num); (void)LibAliasSetMode(mla, PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW); } @@ -1991,3 +1996,22 @@ NewInstance(const char *name) mla = ip->la; mip = ip; } + +static int +CheckIpfwRulenum(unsigned int rnum) +{ + unsigned int default_rule; + size_t len = sizeof(default_rule); + + if (sysctlbyname("net.inet.ip.fw.default_rule", &default_rule, &len, + NULL, 0) == -1) { + warn("Failed to get the default ipfw rule number, using " + "default historical value 65535. The reason was"); + default_rule = 65535; + } + if (rnum >= default_rule) { + return -1; + } + + return 0; +} |