From 4741f3a10975d24cecc0eb2fd5c0039828e26580 Mon Sep 17 00:00:00 2001 From: Paolo Pisati Date: Thu, 6 Mar 2008 21:50:41 +0000 Subject: [PATCH] MFP4: restrict the utilization of direct pointers to the content of ip packet. These modifications are functionally nop()s thus can be merged with no side effects. --- sys/netinet/libalias/alias.c | 59 ++++++++++++++--------------- sys/netinet/libalias/alias_db.c | 34 ++++++----------- sys/netinet/libalias/alias_ftp.c | 6 ++- sys/netinet/libalias/alias_irc.c | 6 ++- sys/netinet/libalias/alias_local.h | 12 +++--- sys/netinet/libalias/alias_proxy.c | 21 ++++------ sys/netinet/libalias/alias_smedia.c | 6 ++- 7 files changed, 67 insertions(+), 77 deletions(-) diff --git a/sys/netinet/libalias/alias.c b/sys/netinet/libalias/alias.c index ed500e177f98..dbc384fc94a4 100644 --- a/sys/netinet/libalias/alias.c +++ b/sys/netinet/libalias/alias.c @@ -170,48 +170,42 @@ a timeout period. */ /* Local prototypes */ -static void TcpMonitorIn(struct ip *, struct alias_link *); +static void TcpMonitorIn(u_char, struct alias_link *); -static void TcpMonitorOut(struct ip *, struct alias_link *); +static void TcpMonitorOut(u_char, struct alias_link *); static void -TcpMonitorIn(struct ip *pip, struct alias_link *lnk) +TcpMonitorIn(u_char th_flags, struct alias_link *lnk) { - struct tcphdr *tc; - - tc = (struct tcphdr *)ip_next(pip); switch (GetStateIn(lnk)) { case ALIAS_TCP_STATE_NOT_CONNECTED: - if (tc->th_flags & TH_RST) + if (th_flags & TH_RST) SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED); - else if (tc->th_flags & TH_SYN) + else if (th_flags & TH_SYN) SetStateIn(lnk, ALIAS_TCP_STATE_CONNECTED); break; case ALIAS_TCP_STATE_CONNECTED: - if (tc->th_flags & (TH_FIN | TH_RST)) + if (th_flags & (TH_FIN | TH_RST)) SetStateIn(lnk, ALIAS_TCP_STATE_DISCONNECTED); break; } } static void -TcpMonitorOut(struct ip *pip, struct alias_link *lnk) +TcpMonitorOut(u_char th_flags, struct alias_link *lnk) { - struct tcphdr *tc; - - tc = (struct tcphdr *)ip_next(pip); switch (GetStateOut(lnk)) { case ALIAS_TCP_STATE_NOT_CONNECTED: - if (tc->th_flags & TH_RST) + if (th_flags & TH_RST) SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED); - else if (tc->th_flags & TH_SYN) + else if (th_flags & TH_SYN) SetStateOut(lnk, ALIAS_TCP_STATE_CONNECTED); break; case ALIAS_TCP_STATE_CONNECTED: - if (tc->th_flags & (TH_FIN | TH_RST)) + if (th_flags & (TH_FIN | TH_RST)) SetStateOut(lnk, ALIAS_TCP_STATE_DISCONNECTED); break; } @@ -646,7 +640,7 @@ IcmpAliasOut(struct libalias *la, struct ip *pip, int create) } - +// XXX ip free static int ProtoAliasIn(struct libalias *la, struct ip *pip) { @@ -679,7 +673,7 @@ ProtoAliasIn(struct libalias *la, struct ip *pip) return (PKT_ALIAS_IGNORED); } - +// XXX ip free static int ProtoAliasOut(struct libalias *la, struct ip *pip, int create) { @@ -930,7 +924,8 @@ TcpAliasIn(struct libalias *la, struct ip *pip) if (GetAckModified(lnk) == 1) { int delta; - delta = GetDeltaAckIn(pip, lnk); + tc = (struct tcphdr *)ip_next(pip); + delta = GetDeltaAckIn(tc->th_ack, lnk); if (delta != 0) { accumulate += twowords(&tc->th_ack); tc->th_ack = htonl(ntohl(tc->th_ack) - delta); @@ -954,7 +949,8 @@ TcpAliasIn(struct libalias *la, struct ip *pip) ADJUST_CHECKSUM(accumulate, pip->ip_sum); /* Monitor TCP connection state */ - TcpMonitorIn(pip, lnk); + tc = (struct tcphdr *)ip_next(pip); + TcpMonitorIn(tc->th_flags, lnk); return (PKT_ALIAS_OK); } @@ -976,8 +972,9 @@ TcpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create) tc = (struct tcphdr *)ip_next(pip); if (create) - proxy_type = - ProxyCheck(la, pip, &proxy_server_address, &proxy_server_port); + proxy_type = ProxyCheck(la, &proxy_server_address, + &proxy_server_port, pip->ip_src, pip->ip_dst, + tc->th_dport, pip->ip_p); else proxy_type = 0; @@ -1036,7 +1033,8 @@ TcpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create) alias_address = GetAliasAddress(lnk); /* Monitor TCP connection state */ - TcpMonitorOut(pip, lnk); + tc = (struct tcphdr *)ip_next(pip); + TcpMonitorOut(tc->th_flags, lnk); /* Walk out chain. */ error = find_handler(OUT, TCP, la, pip, &ad); @@ -1052,8 +1050,9 @@ TcpAliasOut(struct libalias *la, struct ip *pip, int maxpacketsize, int create) /* Modify sequence number if necessary */ if (GetAckModified(lnk) == 1) { int delta; - - delta = GetDeltaSeqOut(pip, lnk); + + tc = (struct tcphdr *)ip_next(pip); + delta = GetDeltaSeqOut(tc->th_seq, lnk); if (delta != 0) { accumulate += twowords(&tc->th_seq); tc->th_seq = htonl(ntohl(tc->th_seq) + delta); @@ -1093,7 +1092,7 @@ saved and recalled when a header fragment is seen. static int FragmentIn(struct libalias *, struct ip *); static int FragmentOut(struct libalias *, struct ip *); - +// XXX ip free static int FragmentIn(struct libalias *la, struct ip *pip) { @@ -1114,7 +1113,7 @@ FragmentIn(struct libalias *la, struct ip *pip) return (PKT_ALIAS_UNRESOLVED_FRAGMENT); } - +// XXX ip free static int FragmentOut(struct libalias *la, struct ip *pip) { @@ -1146,7 +1145,7 @@ FragmentOut(struct libalias *la, struct ip *pip) (prototypes in alias.h) */ - +// XXX ip free int LibAliasSaveFragment(struct libalias *la, char *ptr) { @@ -1166,7 +1165,7 @@ LibAliasSaveFragment(struct libalias *la, char *ptr) return (iresult); } - +// XXX ip free char * LibAliasGetFragment(struct libalias *la, char *ptr) { @@ -1188,7 +1187,7 @@ LibAliasGetFragment(struct libalias *la, char *ptr) return (fptr); } - +// XXX ip free void LibAliasFragmentIn(struct libalias *la, char *ptr, /* Points to correctly * de-aliased header diff --git a/sys/netinet/libalias/alias_db.c b/sys/netinet/libalias/alias_db.c index 958e87bc1cf7..9a7d3a59d29b 100644 --- a/sys/netinet/libalias/alias_db.c +++ b/sys/netinet/libalias/alias_db.c @@ -2005,9 +2005,9 @@ GetAckModified(struct alias_link *lnk) return (lnk->data.tcp->state.ack_modified); } - +// XXX ip free int -GetDeltaAckIn(struct ip *pip, struct alias_link *lnk) +GetDeltaAckIn(u_long ack, struct alias_link *lnk) { /* Find out how much the ACK number has been altered for an incoming @@ -2016,12 +2016,7 @@ packet size was altered is searched. */ int i; - struct tcphdr *tc; int delta, ack_diff_min; - u_long ack; - - tc = ip_next(pip); - ack = tc->th_ack; delta = 0; ack_diff_min = -1; @@ -2049,9 +2044,9 @@ packet size was altered is searched. return (delta); } - +// XXX ip free int -GetDeltaSeqOut(struct ip *pip, struct alias_link *lnk) +GetDeltaSeqOut(u_long seq, struct alias_link *lnk) { /* Find out how much the sequence number has been altered for an outgoing @@ -2060,12 +2055,7 @@ packet size was altered is searched. */ int i; - struct tcphdr *tc; int delta, seq_diff_min; - u_long seq; - - tc = ip_next(pip); - seq = tc->th_seq; delta = 0; seq_diff_min = -1; @@ -2093,9 +2083,10 @@ packet size was altered is searched. return (delta); } - +// XXX ip free void -AddSeq(struct ip *pip, struct alias_link *lnk, int delta) +AddSeq(struct alias_link *lnk, int delta, u_int ip_hl, u_short ip_len, + u_long th_seq, u_int th_off) { /* When a TCP packet has been altered in length, save this @@ -2103,19 +2094,16 @@ information in a circular list. If enough packets have been altered, then this list will begin to overwrite itself. */ - struct tcphdr *tc; struct ack_data_record x; int hlen, tlen, dlen; int i; - tc = ip_next(pip); - - hlen = (pip->ip_hl + tc->th_off) << 2; - tlen = ntohs(pip->ip_len); + hlen = (ip_hl + th_off) << 2; + tlen = ntohs(ip_len); dlen = tlen - hlen; - x.ack_old = htonl(ntohl(tc->th_seq) + dlen); - x.ack_new = htonl(ntohl(tc->th_seq) + dlen + delta); + x.ack_old = htonl(ntohl(th_seq) + dlen); + x.ack_new = htonl(ntohl(th_seq) + dlen + delta); x.delta = delta; x.active = 1; diff --git a/sys/netinet/libalias/alias_ftp.c b/sys/netinet/libalias/alias_ftp.c index 68134af1ab27..b90fd9f073a6 100644 --- a/sys/netinet/libalias/alias_ftp.c +++ b/sys/netinet/libalias/alias_ftp.c @@ -734,8 +734,10 @@ NewFtpMessage(struct libalias *la, struct ip *pip, int delta; SetAckModified(lnk); - delta = GetDeltaSeqOut(pip, lnk); - AddSeq(pip, lnk, delta + slen - dlen); + tc = (struct tcphdr *)ip_next(pip); + delta = GetDeltaSeqOut(tc->th_seq, lnk); + AddSeq(lnk, delta + slen - dlen, pip->ip_hl, + pip->ip_len, tc->th_seq, tc->th_off); } /* Revise IP header */ diff --git a/sys/netinet/libalias/alias_irc.c b/sys/netinet/libalias/alias_irc.c index 5aa80e63cb46..ae8ce2a3dec5 100644 --- a/sys/netinet/libalias/alias_irc.c +++ b/sys/netinet/libalias/alias_irc.c @@ -432,8 +432,10 @@ AliasHandleIrcOut(struct libalias *la, int delta; SetAckModified(lnk); - delta = GetDeltaSeqOut(pip, lnk); - AddSeq(pip, lnk, delta + copyat + iCopy - dlen); + tc = (struct tcphdr *)ip_next(pip); + delta = GetDeltaSeqOut(tc->th_seq, lnk); + AddSeq(lnk, delta + copyat + iCopy - dlen, pip->ip_hl, + pip->ip_len, tc->th_seq, tc->th_off); } /* Revise IP header */ diff --git a/sys/netinet/libalias/alias_local.h b/sys/netinet/libalias/alias_local.h index 2abcb69c0a9d..2a7449ade0a5 100644 --- a/sys/netinet/libalias/alias_local.h +++ b/sys/netinet/libalias/alias_local.h @@ -298,9 +298,10 @@ u_short GetProxyPort(struct alias_link *_lnk); void SetProxyPort(struct alias_link *_lnk, u_short _port); void SetAckModified(struct alias_link *_lnk); int GetAckModified(struct alias_link *_lnk); -int GetDeltaAckIn(struct ip *_pip, struct alias_link *_lnk); -int GetDeltaSeqOut(struct ip *_pip, struct alias_link *_lnk); -void AddSeq (struct ip *_pip, struct alias_link *_lnk, int _delta); +int GetDeltaAckIn(u_long, struct alias_link *_lnk); +int GetDeltaSeqOut(u_long, struct alias_link *lnk); +void AddSeq(struct alias_link *lnk, int delta, u_int ip_hl, + u_short ip_len, u_long th_seq, u_int th_off); void SetExpire (struct alias_link *_lnk, int _expire); void ClearCheckNewLink(struct libalias *la); void SetProtocolFlags(struct alias_link *_lnk, int _pflags); @@ -320,8 +321,9 @@ void HouseKeeping(struct libalias *); /* Transparent proxy routines */ int -ProxyCheck(struct libalias *la, struct ip *_pip, struct in_addr *_proxy_server_addr, - u_short * _proxy_server_port); +ProxyCheck(struct libalias *la, struct in_addr *proxy_server_addr, + u_short * proxy_server_port, struct in_addr src_addr, + struct in_addr dst_addr, u_short dst_port, u_char ip_p); void ProxyModify(struct libalias *la, struct alias_link *_lnk, struct ip *_pip, int _maxpacketsize, int _proxy_type); diff --git a/sys/netinet/libalias/alias_proxy.c b/sys/netinet/libalias/alias_proxy.c index d7efb4bcae55..4e11d4d74be5 100644 --- a/sys/netinet/libalias/alias_proxy.c +++ b/sys/netinet/libalias/alias_proxy.c @@ -453,8 +453,10 @@ ProxyEncodeTcpStream(struct alias_link *lnk, int delta; SetAckModified(lnk); - delta = GetDeltaSeqOut(pip, lnk); - AddSeq(pip, lnk, delta + slen); + tc = (struct tcphdr *)ip_next(pip); + delta = GetDeltaSeqOut(tc->th_seq, lnk); + AddSeq(lnk, delta + slen, pip->ip_hl, pip->ip_len, tc->th_seq, + tc->th_off); } /* Update IP header packet length and checksum */ @@ -561,20 +563,13 @@ ProxyEncodeIpHeader(struct ip *pip, */ int -ProxyCheck(struct libalias *la, struct ip *pip, - struct in_addr *proxy_server_addr, - u_short * proxy_server_port) +ProxyCheck(struct libalias *la, struct in_addr *proxy_server_addr, + u_short * proxy_server_port, struct in_addr src_addr, + struct in_addr dst_addr, u_short dst_port, u_char ip_p) { - u_short dst_port; - struct in_addr src_addr; - struct in_addr dst_addr; struct proxy_entry *ptr; LIBALIAS_LOCK_ASSERT(la); - src_addr = pip->ip_src; - dst_addr = pip->ip_dst; - dst_port = ((struct tcphdr *)ip_next(pip)) - ->th_dport; ptr = la->proxyList; while (ptr != NULL) { @@ -582,7 +577,7 @@ ProxyCheck(struct libalias *la, struct ip *pip, proxy_port = ptr->proxy_port; if ((dst_port == proxy_port || proxy_port == 0) - && pip->ip_p == ptr->proto + && ip_p == ptr->proto && src_addr.s_addr != ptr->server_addr.s_addr) { struct in_addr src_addr_masked; struct in_addr dst_addr_masked; diff --git a/sys/netinet/libalias/alias_smedia.c b/sys/netinet/libalias/alias_smedia.c index cf372b04ec99..e748ad7dab26 100644 --- a/sys/netinet/libalias/alias_smedia.c +++ b/sys/netinet/libalias/alias_smedia.c @@ -404,8 +404,10 @@ alias_rtsp_out(struct libalias *la, struct ip *pip, memcpy(data, newdata, new_dlen); SetAckModified(lnk); - delta = GetDeltaSeqOut(pip, lnk); - AddSeq(pip, lnk, delta + new_dlen - dlen); + tc = (struct tcphdr *)ip_next(pip); + delta = GetDeltaSeqOut(tc->th_seq, lnk); + AddSeq(lnk, delta + new_dlen - dlen, pip->ip_hl, pip->ip_len, + tc->th_seq, tc->th_off); new_len = htons(hlen + new_dlen); DifferentialChecksum(&pip->ip_sum,