1. IP_FW_F_{UID,GID} are _not_ commands, they are extras. The sanity checking

for them does not belong in the IP_FW_F_COMMAND switch, that mask doesn't even
apply to them(!).

2. You cannot add a uid/gid rule to something that isn't TCP, UDP, or IP.

XXX - this should be handled in ipfw(8) as well (for more diagnostic output),
but this at least protects bogus rules from being added.

Pointy hat:	green

1 files changed, 7 insertions, 2 deletions

diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 4ed2b0b..2e2bdd3 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -1719,6 +1719,13 @@ check_ipfw_struct(struct ip_fw *frwl)
 		}
 	}
 
+	if (frwl->fw_flg & (IP_FW_F_UID | IP_FW_F_GID)) {
+		if (frwl->fw_prot != (IPPROTO_TCP | IPPROTO_UDP | IPPROTO_IP)) {
+			dprintf(("%s cannot use uid/gid logic on non-TCP/UDP\n", err_prefix));
+			return (EINVAL);
+		}
+	}
+
 	/* Check command specific stuff */
 	switch (frwl->fw_flg & IP_FW_F_COMMAND)
 	{
@@ -1752,8 +1759,6 @@ check_ipfw_struct(struct ip_fw *frwl)
 #ifdef IPFIREWALL_FORWARD
 	case IP_FW_F_FWD:
 #endif
-	case IP_FW_F_UID:
-	case IP_FW_F_GID:
 		break;
 	default:
 		dprintf(("%s invalid command\n", err_prefix));