Fix an incredibly horrible bug in the ipfw code

where if you are using the "reset tcp" firewall command,
the kernel would write ethernet headers onto random kernel stack locations.

Fought to the death by: terry, julian, archie.
fix valid for 2.2 series as well.

3 files changed, 16 insertions, 11 deletions

diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index c343238..dcc3bfe 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -12,7 +12,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.c,v 1.64 1997/10/12 20:25:25 phk Exp $
+ *	$Id: ip_fw.c,v 1.65 1997/11/05 20:17:19 joerg Exp $
  */
 
 /*
@@ -577,23 +577,24 @@ got_match:
 		  {
 			struct tcphdr *const tcp =
 				(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
-			struct tcpiphdr ti;
+			struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
 
 			if (offset != 0 || (tcp->th_flags & TH_RST))
 				break;
 			ti.ti_i = *((struct ipovly *) ip);
 			ti.ti_t = *tcp;
-			NTOHL(ti.ti_seq);
-			NTOHL(ti.ti_ack);
-			ti.ti_len = ip->ip_len - hlen - (ti.ti_off << 2);
+			bcopy(&ti, ip, sizeof(ti));
+			NTOHL(tip->ti_seq);
+			NTOHL(tip->ti_ack);
+			tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2);
 			if (tcp->th_flags & TH_ACK) {
-				tcp_respond(NULL, &ti, *m,
+				tcp_respond(NULL, tip, *m,
 				    (tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
 			} else {
 				if (tcp->th_flags & TH_SYN)
-					ti.ti_len++;
-				tcp_respond(NULL, &ti, *m, ti.ti_seq
-				    + ti.ti_len, (tcp_seq)0, TH_RST|TH_ACK);
+					tip->ti_len++;
+				tcp_respond(NULL, tip, *m, tip->ti_seq
+				    + tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK);
 			}
 			*m = NULL;
 			break;
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 23d8a0b..97b2a54 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
- *	$Id: tcp_subr.c,v 1.38 1997/09/16 18:36:06 joerg Exp $
+ *	$Id: tcp_subr.c,v 1.39 1997/10/28 15:58:53 bde Exp $
  */
 
 #include "opt_tcpdebug.h"
@@ -164,6 +164,8 @@ tcp_template(tp)
  *
  * In any case the ack and sequence number of the transmitted
  * segment are as specified by the parameters.
+ *
+ * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
  */
 void
 tcp_respond(tp, ti, m, ack, seq, flags)
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 23d8a0b..97b2a54 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
- *	$Id: tcp_subr.c,v 1.38 1997/09/16 18:36:06 joerg Exp $
+ *	$Id: tcp_subr.c,v 1.39 1997/10/28 15:58:53 bde Exp $
  */
 
 #include "opt_tcpdebug.h"
@@ -164,6 +164,8 @@ tcp_template(tp)
  *
  * In any case the ack and sequence number of the transmitted
  * segment are as specified by the parameters.
+ *
+ * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
  */
 void
 tcp_respond(tp, ti, m, ack, seq, flags)