hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-26 02:20:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Check rule numbers against maximum value to avoid rules cleanup due

Browse Source 
to overflow.

MFC after:	5 days.
This commit is contained in:
Roman Kurakin 2008-09-06 17:26:52 +00:00
parent 433751bb50
commit d53fe7108b
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=182825
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
sbin/natd/natd.c
View File

@ -130,6 +130,7 @@ static void SetupPunchFW(const char *strValue);
static void SetupSkinnyPort(const char *strValue);
static void NewInstance(const char *name);
static void DoGlobal (int fd);
static int CheckIpfwRulenum(unsigned int rnum);
/*
* Globals.
@ -1947,6 +1948,10 @@ SetupPunchFW(const char *strValue)
if (sscanf(strValue, "%u:%u", &base, &num) != 2)
errx(1, "punch_fw: basenumber:count parameter required");
if (CheckIpfwRulenum(base + num - 1) == -1)
errx(1, "punch_fw: basenumber:count parameter should fit "
"the maximum allowed rule numbers");
LibAliasSetFWBase(mla, base, num);
(void)LibAliasSetMode(mla, PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
}
@ -1991,3 +1996,22 @@ NewInstance(const char *name)
mla = ip->la;
mip = ip;
}
static int
CheckIpfwRulenum(unsigned int rnum)
{
unsigned int default_rule;
size_t len = sizeof(default_rule);
if (sysctlbyname("net.inet.ip.fw.default_rule", &default_rule, &len,
NULL, 0) == -1) {
warn("Failed to get the default ipfw rule number, using "
"default historical value 65535. The reason was");
default_rule = 65535;
}
if (rnum >= default_rule) {
return -1;
}
return 0;
}