Menu
▾
▴
Re: [Sshguard-users] Core dump on FreeBSD 10.1 with sshguard-ipfw 1.6.0
|
From: Kevin Z. <kev...@gm...> - 2015-05-26 21:41:32
|
Hi Greg, Thanks for tracking down the problem and providing a fix. This issue has been around for quite some time and I never had enough motivation to track it down (I never used the blacklist with ipfw). (The original patch is attached with this message.) On 05/26/2015 12:11, Greg Putrich wrote: > On sshguard 1.6.0 (and 1.5.0) on FreeBSD 10.1 with ipfw, when starting up > sshguard with a "large" blacklist.db file, it would crash with a segmentation > fault & dump its core. Tracked this down to MAXIPFWCMDLEN being set to 90. That would do it. The culprits are short fixed-length buffers used with unbounded string functions. All the sprintf's should be taken out. > Set it to 100 and it worked with a slightly larger blacklist.db file, but the > problem is, changing that number is fine for a time, but my blacklist.db file > for running for a couple of weeks is 212 entries and that would be one really > long rule. I found this the hard way when I patched my system, rebooted and > didn't check sshguard. I looked at it by chance later and it wasn't running > and wouldn't start. Cleared out blacklist.db and it was fine. As you can see, > this is not an ideal condition and makes blacklist.db useless. A "fix" would be to bump the buffer up to something ridiculous like 2048 (or something in sys/limits.h). But you're right; that doesn't solve the problem at hand. > I decided to fix it by looping through each entry & adding a separate rule. This was originally avoided to stop incurring the penalty of a system() call for every IP. But this fix is better than crashing. > What this also does is keeps the counters meaningful as can tell which IP > addresses are actively being a pest. The ipfw backend has been rotting in lots of different places. A while ago someone pointed out some vulnerabilities concerning how the ipfw backend assigns attackers to firewall rules, but that hasn't been fixed. > Attached is the patch for 1.6.0. For the most part, I copied the code from two > sections within ipfw.c then wrapped it in a for loop. > > Also included in that diff is the existing patch for ipfw.c in sshguard-ipfw > on FreeBSD. > > I'm not much of a C coder, so this may not be the ideal way of doing it, but > its been working here and no more core dumps when loading a big blacklist.db. I'll take a look. In the future, you're more than welcome to post patches to the mailing list for more eyes to look at it. Also, in case I never get around to actually looking at it. Thanks, Kevin Zheng -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
