Fix an incredibly horrible bug in the ipfw code

where if you are using the "reset tcp" firewall command,
the kernel would write ethernet headers onto random kernel stack locations.

Fought to the death by: terry, julian, archie.
fix valid for 2.2 series as well.

1 files changed, 10 insertions, 9 deletions

diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index c343238..dcc3bfe 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -12,7 +12,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.c,v 1.64 1997/10/12 20:25:25 phk Exp $
+ *	$Id: ip_fw.c,v 1.65 1997/11/05 20:17:19 joerg Exp $
  */
 
 /*
@@ -577,23 +577,24 @@ got_match:
 		  {
 			struct tcphdr *const tcp =
 				(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
-			struct tcpiphdr ti;
+			struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
 
 			if (offset != 0 || (tcp->th_flags & TH_RST))
 				break;
 			ti.ti_i = *((struct ipovly *) ip);
 			ti.ti_t = *tcp;
-			NTOHL(ti.ti_seq);
-			NTOHL(ti.ti_ack);
-			ti.ti_len = ip->ip_len - hlen - (ti.ti_off << 2);
+			bcopy(&ti, ip, sizeof(ti));
+			NTOHL(tip->ti_seq);
+			NTOHL(tip->ti_ack);
+			tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2);
 			if (tcp->th_flags & TH_ACK) {
-				tcp_respond(NULL, &ti, *m,
+				tcp_respond(NULL, tip, *m,
 				    (tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
 			} else {
 				if (tcp->th_flags & TH_SYN)
-					ti.ti_len++;
-				tcp_respond(NULL, &ti, *m, ti.ti_seq
-				    + ti.ti_len, (tcp_seq)0, TH_RST|TH_ACK);
+					tip->ti_len++;
+				tcp_respond(NULL, tip, *m, tip->ti_seq
+				    + tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK);
 			}
 			*m = NULL;
 			break;