Hi Greg,
Thanks for tracking down the problem and providing a fix. This issue has
been around for quite some time and I never had enough motivation to
track it down (I never used the blacklist with ipfw).
(The original patch is attached with this message.)
On 05/26/2015 12:11, Greg Putrich wrote:
> On sshguard 1.6.0 (and 1.5.0) on FreeBSD 10.1 with ipfw, when starting up
> sshguard with a "large" blacklist.db file, it would crash with a segmentation
> fault & dump its core. Tracked this down to MAXIPFWCMDLEN being set to 90.
That would do it. The culprits are short fixed-length buffers used with
unbounded string functions. All the sprintf's should be taken out.
> Set it to 100 and it worked with a slightly larger blacklist.db file, but the
> problem is, changing that number is fine for a time, but my blacklist.db file
> for running for a couple of weeks is 212 entries and that would be one really
> long rule. I found this the hard way when I patched my system, rebooted and
> didn't check sshguard. I looked at it by chance later and it wasn't running
> and wouldn't start. Cleared out blacklist.db and it was fine. As you can see,
> this is not an ideal condition and makes blacklist.db useless.
A "fix" would be to bump the buffer up to something ridiculous like 2048
(or something in sys/limits.h). But you're right; that doesn't solve the
problem at hand.
> I decided to fix it by looping through each entry & adding a separate rule.
This was originally avoided to stop incurring the penalty of a system()
call for every IP. But this fix is better than crashing.
> What this also does is keeps the counters meaningful as can tell which IP
> addresses are actively being a pest.
The ipfw backend has been rotting in lots of different places. A while
ago someone pointed out some vulnerabilities concerning how the ipfw
backend assigns attackers to firewall rules, but that hasn't been fixed.
> Attached is the patch for 1.6.0. For the most part, I copied the code from two
> sections within ipfw.c then wrapped it in a for loop.
>
> Also included in that diff is the existing patch for ipfw.c in sshguard-ipfw
> on FreeBSD.
>
> I'm not much of a C coder, so this may not be the ideal way of doing it, but
> its been working here and no more core dumps when loading a big blacklist.db.
I'll take a look. In the future, you're more than welcome to post
patches to the mailing list for more eyes to look at it. Also, in case I
never get around to actually looking at it.
Thanks,
Kevin Zheng
--
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090
|
