natd fw punch rule leak found (and fix)

From: Flemming Kraglund <fk_at_kraglund.net>
Date: Thu, 28 Aug 2003 17:18:23 +0200
On a busy ftp site it was noticed that natd stopped punching ftp data
session after some time, it was leaking the fw rule numbers allocated
for punching. This happens if the ftp clients or ftp servers TCP layer
was retransmitting the PORT/EPRT or the passive replies or as a DoS
from a malicious client, then natd will allocated a new fw rule number
for the punch overwriting the old allocated number, this happens even
if the punch would not occur due to one of the port numbers being zero.

The fix is simple, in libalias/alias_db.c in PunchFWHole add the
following after the initial packetAliasMode test:

    /* FK, fix fw rule slots leak */
    /* PROBLEM: we get double allocation for a link if there is a 
           retransmission of a packet with session information
           (ftp PORT command etc) or a DoS client that keeps sending
           such commands, this double allocation will overwrite the
           previous allocated rule slot number.
       FIX: If one of the ports for the FW rule is zero then no
           rule is punched so don't do the punch stuff.
    */
    if (GetOriginalPort(link) == 0 || GetDestPort(link) == 0)
	return;
    ClearFWHole(link);
    /* FK, fix fw rule slots leak ends */

/FK
Received on Thu Aug 28 2003 - 06:18:28 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:20 UTC