From 4df9b50afc714fa92acdbe0ae2e76cd2ac6d6d7e Mon Sep 17 00:00:00 2001
From: rik <rik@FreeBSD.org>
Date: Sat, 6 Sep 2008 17:26:52 +0000
Subject: Check rule numbers against maximum value to avoid rules cleanup due
 to overflow.

MFC after:	5 days.
---
 sbin/natd/natd.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'sbin/natd/natd.c')

diff --git a/sbin/natd/natd.c b/sbin/natd/natd.c
index 3a5a644..445077f 100644
--- a/sbin/natd/natd.c
+++ b/sbin/natd/natd.c
@@ -130,6 +130,7 @@ static void	SetupPunchFW(const char *strValue);
 static void	SetupSkinnyPort(const char *strValue);
 static void	NewInstance(const char *name);
 static void	DoGlobal (int fd);
+static int	CheckIpfwRulenum(unsigned int rnum);
 
 /*
  * Globals.
@@ -1947,6 +1948,10 @@ SetupPunchFW(const char *strValue)
 	if (sscanf(strValue, "%u:%u", &base, &num) != 2)
 		errx(1, "punch_fw: basenumber:count parameter required");
 
+	if (CheckIpfwRulenum(base + num - 1) == -1)
+		errx(1, "punch_fw: basenumber:count parameter should fit "
+			"the maximum allowed rule numbers");
+
 	LibAliasSetFWBase(mla, base, num);
 	(void)LibAliasSetMode(mla, PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW);
 }
@@ -1991,3 +1996,22 @@ NewInstance(const char *name)
 	mla = ip->la;
 	mip = ip;
 }
+
+static int
+CheckIpfwRulenum(unsigned int rnum)
+{
+	unsigned int default_rule;
+	size_t len = sizeof(default_rule);
+
+	if (sysctlbyname("net.inet.ip.fw.default_rule", &default_rule, &len,
+		NULL, 0) == -1) {
+		warn("Failed to get the default ipfw rule number, using "
+		     "default historical value 65535.  The reason was");
+		default_rule = 65535;
+	}
+	if (rnum >= default_rule) {
+		return -1;
+	}
+
+	return 0;
+}
-- 
cgit v1.1