From 3cebc3e4de5ab47320131b48c4f6996deba48a60 Mon Sep 17 00:00:00 2001 From: Ruslan Ermilov Date: Fri, 27 Oct 2000 07:19:17 +0000 Subject: [PATCH] Fetch the protocol header (TCP, UDP, ICMP) only from the first fragment of IP datagram. This fixes the problem when firewall denied fragmented packets whose last fragment was less than minimum protocol header size. Found by: Harti Brandt PR: kern/22309 --- sys/netinet/ip_fw.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 3d0a459b053..c3637b5a24a 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -970,25 +970,20 @@ ip_fw_chk(struct ip **pip, int hlen, goto bogusfrag; \ ip = mtod(*m, struct ip *); \ *pip = ip; \ - offset = (ip->ip_off & IP_OFFMASK); \ } \ } while (0) /* * Collect parameters into local variables for faster matching. */ + proto = ip->ip_p; + src_ip = ip->ip_src; + dst_ip = ip->ip_dst; offset = (ip->ip_off & IP_OFFMASK); - { + if (offset == 0) { struct tcphdr *tcp; struct udphdr *udp; - dst_ip = ip->ip_dst ; - src_ip = ip->ip_src ; - proto = ip->ip_p ; - /* - * warning - if offset != 0, port values are bogus. - * Not a problem for ipfw, but could be for dummynet. - */ switch (proto) { case IPPROTO_TCP : PULLUP_TO(hlen + sizeof(struct tcphdr)); @@ -1014,14 +1009,14 @@ ip_fw_chk(struct ip **pip, int hlen, default : break; } -#undef PULLUP_TO - last_pkt.src_ip = ntohl(src_ip.s_addr) ; - last_pkt.dst_ip = ntohl(dst_ip.s_addr) ; - last_pkt.proto = proto ; - last_pkt.src_port = ntohs(src_port) ; - last_pkt.dst_port = ntohs(dst_port) ; - last_pkt.flags = flags ; } +#undef PULLUP_TO + last_pkt.src_ip = ntohl(src_ip.s_addr); + last_pkt.dst_ip = ntohl(dst_ip.s_addr); + last_pkt.proto = proto; + last_pkt.src_port = ntohs(src_port); + last_pkt.dst_port = ntohs(dst_port); + last_pkt.flags = flags; if (*flow_id) { /* Accept if passed first test */