FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

kernel -- ipfw packet matching errors with address tables

Affected systems
5.4 <= FreeBSD < 5.4_3

Details

VuXML ID f70f8860-e8ee-11d9-b875-0001020eed82
Discovery 2005-06-29
Entry 2005-06-29
Modified 2005-07-06

Problem Description

The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table.

Impact

When lookup tables are used with ipfw, packets may on very rare occasions incorrectly match a lookup table. This could result in a packet being treated contrary to the defined packet filtering ruleset. For example, a packet may be allowed to pass through when it should have been discarded.

The problem can only occur on Symmetric Multi-Processor (SMP) systems, or on Uni Processor (UP) systems with the PREEMPTION kernel option enabled (not the default).

Workaround

a) Do not use lookup tables.

OR

b) Disable concurrent processing of packets in the network stack by setting the "debug.mpsafenet=0" tunable:

# echo "debug.mpsafenet=0" << /boot/loader.conf

References

CVE Name CVE-2005-2019
FreeBSD Advisory SA-05:13.ipfw