aclMatchArp correction

From: Gennadiy Tsarenkov <tsarenk@dont-contact.us>
Date: Thu, 20 Jul 2006 04:14:39 -0700 (PDT)

Hi all,

I've tried to build squid under Windows environment
and find out that a fix is necessary.
Namelly,
1) when copeing MAC address to the arpReq using memcpy
the attribute dwPhysAddrLen is incorrectly accessed
(i.e. NetTable[i].table->dwPhysAddrLen).
The correct line should be
memcpy(arpReq.arp_ha.sa_data,
NetTable->table[i].bPhysAddr,
NetTable->table[i].dwPhysAddrLen);
This also protects this function from attacks.
2) ARP is checked against cached entries under Windows
environment. If the ARP entry is not found in cache
then the undefined value is contained in
arpReq.arp_ha. This may lead to granting access or
deny rule incorretly (very unlikely, but possible). It
would be nice, if it will be initialized with zeros
before lookup cycle.
memset(arpReq.arp_ha, 0, sizeof(arpReq.arp_ha));
3) I would suggest to even to extend this
functionality in such a way that if address is not
found in cache, then SendARP function is executed. I
suggest to implement it in the following context:
    if (arpReq.arp_ha.sa_data[0] == 0 &&
arpReq.arp_ha.sa_data[1] == 0 &&
        arpReq.arp_ha.sa_data[2] == 0 &&
arpReq.arp_ha.sa_data[3] == 0 &&
        arpReq.arp_ha.sa_data[4] == 0 &&
arpReq.arp_ha.sa_data[5] == 0)
    {
        
     /* Try to get ARP entry from network */
       i = 6;
       memset(&arpReq.arp_ha, 0,
sizeof(arpReq.arp_ha));
       arpReq.arp_ha.sa_family = AF_UNSPEC;
       if (SendARP (c.s_addr, 0,
(PULONG)arpReq.arp_ha.sa_data, &i)!=NO_ERROR)
       {
           debug(28, 0) ("Can't retrieve MAC
address!\n");
           return 0;
       }
    }
    debug(28, 4) ("Got address
%02x:%02x:%02x:%02x:%02x:%02x\n",
        arpReq.arp_ha.sa_data[0] & 0xff,
arpReq.arp_ha.sa_data[1] & 0xff,
        arpReq.arp_ha.sa_data[2] & 0xff,
arpReq.arp_ha.sa_data[3] & 0xff,
        arpReq.arp_ha.sa_data[4] & 0xff,
arpReq.arp_ha.sa_data[5] & 0xff);

4) For Windows under cygwin there is still needed to
add -lresolv when linking with --disable-internal-dns.

This modifications are pretty safe for other
platforms, since they have to be done under a special
design.

Best regards,
Gennadiy Tsarenkov

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on Thu Jul 20 2006 - 09:08:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:02 MDT