From 14901c04b79cb17c3c64e0f387e5bf232548c4f1 Mon Sep 17 00:00:00 2001
From: dillon <dillon@FreeBSD.org>
Date: Mon, 14 Dec 1998 02:25:32 +0000
Subject: Reviewed by:	freebsd-current

    Add bounds checking to netbios NS packet resolving code.  This should
    prevent natd from crashing on badly formed netbios packets (as might be
    heard when the machine is sitting on a cable modem or certain DSL
    networks), and also closes potential security holes that might have
    exploited the lack of bounds checking in the previous version of the
    code.
---
 sys/netinet/libalias/alias.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

(limited to 'sys/netinet/libalias/alias.c')

diff --git a/sys/netinet/libalias/alias.c b/sys/netinet/libalias/alias.c
index 48a852a..50e597f 100644
--- a/sys/netinet/libalias/alias.c
+++ b/sys/netinet/libalias/alias.c
@@ -73,6 +73,9 @@
         - Eliminated PacketAliasIn2() and
           PacketAliasOut2() as poorly conceived.
 
+    Version 2.3 Dec 1998 (dillon)
+	- Major bounds checking additions, see FreeBSD/CVS
+
     See HISTORY file for additional revisions.
 
 */
@@ -603,6 +606,7 @@ UdpAliasIn(struct ip *pip)
         u_short alias_port;
         int accumulate;
         u_short *sptr;
+	int r = 0;
 
         alias_address = GetAliasAddress(link);
         original_address = GetOriginalAddress(link);
@@ -613,11 +617,11 @@ UdpAliasIn(struct ip *pip)
 		if (ntohs(ud->uh_dport) == NETBIOS_DGM_PORT_NUMBER
          || ntohs(ud->uh_sport) == NETBIOS_DGM_PORT_NUMBER )
 		{
-            AliasHandleUdpNbt(pip, link, &original_address, ud->uh_dport);
+            r = AliasHandleUdpNbt(pip, link, &original_address, ud->uh_dport);
 		} else if (ntohs(ud->uh_dport) == NETBIOS_NS_PORT_NUMBER
          || ntohs(ud->uh_sport) == NETBIOS_NS_PORT_NUMBER )
 		{
-            AliasHandleUdpNbtNS(pip, link, 
+            r = AliasHandleUdpNbtNS(pip, link, 
 								&alias_address,
 								&alias_port,
 								&original_address, 
@@ -648,7 +652,14 @@ UdpAliasIn(struct ip *pip)
                              (u_short *) &pip->ip_dst,
                              2);
         pip->ip_dst = original_address;
-        return(PKT_ALIAS_OK);
+
+	/*
+	 * If we cannot figure out the packet, ignore it.
+	 */
+	if (r < 0)
+	    return(PKT_ALIAS_IGNORED);
+	else
+	    return(PKT_ALIAS_OK);
     }
     return(PKT_ALIAS_IGNORED);
 }
-- 
cgit v1.1