Currently when ipfw(8) generates the micro-instructions for rules which

contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical
operator bits get clobbered. Making it impossible to use the ``NOT'' or
``OR'' operators with uid, gid and jail based constraints.

The ipfw_insn instruction template contains a ``len'' element which
stores two pieces of information, the size of the instruction
(in 32-bit words) in the low 6 bits of "len" with the 2 remaining
bits to implement OR and NOT.

The current code clobbers the OR and NOT bits by initializing the
``len'' element to the size, rather than OR'ing the bits. This change
fixes this by changing the initialization of cmd->len to an OR operation
for the O_UID, O_GID and O_JAIL opcodes.

This may be a MFC candidate for RELENG_5.

Reviewed by:	andre
Approved by:	luigi
PR:		kern/63961 (partially)

1 files changed, 3 insertions, 3 deletions

diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index c7ccfd5..4d7c535 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -3296,7 +3296,7 @@ read_options:
 			if (pwd == NULL)
 				errx(EX_DATAERR, "uid \"%s\" nonexistent", *av);
 			cmd32->d[0] = pwd->pw_uid;
-			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
+			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
 			ac--; av++;
 		    }
 			break;
@@ -3314,7 +3314,7 @@ read_options:
 			if (grp == NULL)
 				errx(EX_DATAERR, "gid \"%s\" nonexistent", *av);
 			cmd32->d[0] = grp->gr_gid;
-			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
+			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
 			ac--; av++;
 		    }
 			break;
@@ -3330,7 +3330,7 @@ read_options:
 			if (jid < 0 || *end != '\0')
 				errx(EX_DATAERR, "jail requires prison ID");
 			cmd32->d[0] = (unsigned int)jid;
-			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
+			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
 			ac--; av++;
 		    }
 			break;