diff options
| author | vangyzen <vangyzen@FreeBSD.org> | 2017-03-10 20:38:18 +0000 |
|---|---|---|
| committer | vangyzen <vangyzen@FreeBSD.org> | 2017-03-10 20:38:18 +0000 |
| commit | f21fbb3c5d03938f64b646d4b8abde71145ca2d9 (patch) | |
| tree | fa1f2ab0eb6a4b29bd7424ada71bf113822612ce | |
| parent | 51b7c737fb7424e4272adf780b2df01d5b808d3c (diff) | |
| download | FreeBSD-src-f21fbb3c5d03938f64b646d4b8abde71145ca2d9.zip FreeBSD-src-f21fbb3c5d03938f64b646d4b8abde71145ca2d9.tar.gz | |
MFC r313820
pf: use inet_ntoa_r() instead of inet_ntoa(); maybe fix IPv6 OS fingerprinting
inet_ntoa() cannot be used safely in a multithreaded environment
because it uses a static local buffer. Instead, use inet_ntoa_r()
with a buffer on the caller's stack.
This code had an INET6 conditional before this commit, but opt_inet6.h
was not included, so INET6 was never defined. Apparently, pf's OS
fingerprinting hasn't worked with IPv6 for quite some time.
This commit might fix it, but I didn't test that.
Relnotes: yes (if I/someone can test pf OS fingerprinting with IPv6)
Sponsored by: Dell EMC
| -rw-r--r-- | sys/netpfil/pf/pf_osfp.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/sys/netpfil/pf/pf_osfp.c b/sys/netpfil/pf/pf_osfp.c index b20a64e..2757b3b 100644 --- a/sys/netpfil/pf/pf_osfp.c +++ b/sys/netpfil/pf/pf_osfp.c @@ -19,6 +19,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_inet6.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/socket.h> @@ -30,8 +32,10 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/pfvar.h> +#ifdef INET6 #include <netinet/ip6.h> #include <netinet6/in6_var.h> +#endif static MALLOC_DEFINE(M_PFOSFP, "pf_osfp", "pf(4) operating system fingerprints"); #define DPFPRINTF(format, x...) \ @@ -91,7 +95,11 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const st struct pf_os_fingerprint fp, *fpresult; int cnt, optlen = 0; const u_int8_t *optp; - char srcname[128]; +#ifdef INET6 + char srcname[INET6_ADDRSTRLEN]; +#else + char srcname[INET_ADDRSTRLEN]; +#endif if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN) return (NULL); @@ -107,7 +115,7 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const st fp.fp_ttl = ip->ip_ttl; if (ip->ip_off & htons(IP_DF)) fp.fp_flags |= PF_OSFP_DF; - strlcpy(srcname, inet_ntoa(ip->ip_src), sizeof(srcname)); + inet_ntoa_r(ip->ip_src, srcname); } #ifdef INET6 else if (ip6) { @@ -116,8 +124,7 @@ pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const st fp.fp_ttl = ip6->ip6_hlim; fp.fp_flags |= PF_OSFP_DF; fp.fp_flags |= PF_OSFP_INET6; - strlcpy(srcname, ip6_sprintf((struct in6_addr *)&ip6->ip6_src), - sizeof(srcname)); + ip6_sprintf(srcname, (const struct in6_addr *)&ip6->ip6_src); } #endif else |
