From comp.sources.misc Thu Mar 25 10:43:44 1993
Newsgroups: comp.sources.misc
Path: svin09.info.win.tue.nl!ruuinf!sun4nl!mcsun!uunet!sparky!kent
From: wietse@wzv.win.tue.nl (Wietse Venema)
Subject: v36i068:  log_tcp - TCP/IP daemon wrapper, v5.0, Patch01
Message-ID: <1993Mar25.045752.4819@sparky.imd.sterling.com>
Followup-To: comp.sources.d
X-Md4-Signature: 4dfd3a313cbdaeb28f014f5f40d570c0
Keywords: log_tcp, tcpd, tcp wrapper, frontd
Sender: kent@sparky.imd.sterling.com (Kent Landfield)
Organization: Eindhoven University of Technology, The Netherlands
References: <csm-v36i004=log_tcp.221238@sparky.IMD.Sterling.COM>
Date: Thu, 25 Mar 1993 04:57:52 GMT
Approved: kent@sparky.imd.sterling.com
Lines: 173

Submitted-by: wietse@wzv.win.tue.nl (Wietse Venema)
Posting-number: Volume 36, Issue 68
Archive-name: log_tcp/patch01
Environment: UNIX
Patch-To: log_tcp: Volume 36, Issue 4-6

A bug in the SunOS 4.x implementation of the getsockopt() system call
can cause occasional kernal panics (BAD TRAP, Data fault). This happens
only when the protection against source-routing attacks is enabled. The
workaround is to disable this protection by default.

	Wietse

*** ./patchlevel.h-	Sun Mar  7 22:48:02 1993
--- ./patchlevel.h	Wed Mar 24 22:42:54 1993
***************
*** 1,3 ****
  #ifndef lint
! static char patchlevel[] = "@(#) patchlevel 5.0";
  #endif
--- 1,3 ----
  #ifndef lint
! static char patchlevel[] = "@(#) patchlevel 5.1";
  #endif
*** ./BLURB-	Sun Mar  7 22:47:51 1993
--- ./BLURB	Wed Mar 24 22:42:40 1993
***************
*** 1,4 ****
! @(#) BLURB 1.7 93/03/07 22:47:49
  
  With the programs that come with this kit you can monitor incoming
  requests for IP services such as TFTP, EXEC, FTP, RSH, TELNET, RLOGIN,
--- 1,4 ----
! @(#) BLURB 1.8 93/03/24 22:42:37
  
  With the programs that come with this kit you can monitor incoming
  requests for IP services such as TFTP, EXEC, FTP, RSH, TELNET, RLOGIN,
***************
*** 16,22 ****
  
  The most notable differences with respect to the previous release are:
  
!     - Additional protection against attacks from hosts that pretend to
      have someone elses network address. For example, the address of a
      trusted host within your own network.
  
--- 16,22 ----
  
  The most notable differences with respect to the previous release are:
  
!     - Optional protection against attacks from hosts that pretend to
      have someone elses network address. For example, the address of a
      trusted host within your own network.
  
***************
*** 38,45 ****
      - Still more documentation. The README file now provides tutorial
      sections with introductions to client, server, inetd and syslogd.
  
! With the exception of source routed connections, the default mode of
! operation should be backwards compatible with earlier versions.
  
  	Wietse Venema (wietse@wzv.win.tue.nl),
  	Department of Mathematics and Computing Science,
--- 38,45 ----
      - Still more documentation. The README file now provides tutorial
      sections with introductions to client, server, inetd and syslogd.
  
! The default mode of operation should be backwards compatible with
! earlier versions.
  
  	Wietse Venema (wietse@wzv.win.tue.nl),
  	Department of Mathematics and Computing Science,
*** ./README-	Sun Mar  7 22:47:27 1993
--- ./README	Wed Mar 24 22:42:51 1993
***************
*** 1,4 ****
! @(#) README 1.9 93/03/07 22:47:24
  
  
  Table of contents
--- 1,4 ----
! @(#) README 1.10 93/03/24 22:42:46
  
  
  Table of contents
***************
*** 281,287 ****
  will be disabled for all TCP connections that are handled by the
  wrapper programs.
  
! The feature is enabled by default. It can be turned off by editing the
  Makefile.  The configuration and installation section below describes
  the Makefile editing process.
  
--- 281,292 ----
  will be disabled for all TCP connections that are handled by the
  wrapper programs.
  
! All this cannot be used with SunOS 4.x because of a kernel bug in the
! implementation of the getsockopt() system call. Kernel panics have been
! reported for SunOS 4.1.1 and SunOS 4.1.2. The symptoms are "BAD TRAP"
! and "Data fault" while executing the tcp_ctloutput() kernel function.
! 
! The feature is disabled by default. It can be turned on by editing the
  Makefile.  The configuration and installation section below describes
  the Makefile editing process.
  
*** ./Makefile.dist-	Sun Mar  7 22:47:46 1993
--- ./Makefile.dist	Wed Mar 24 22:42:44 1993
***************
*** 1,4 ****
! # @(#) Makefile.dist 1.1 93/03/07 22:47:45
  # 
  # If you did not already do so, copy the file Makefile.dist to Makefile
  # and edit the copy, not the original. Have a copy of the README file at
--- 1,4 ----
! # @(#) Makefile.dist 1.2 93/03/24 22:42:41
  # 
  # If you did not already do so, copy the file Makefile.dist to Makefile
  # and edit the copy, not the original. Have a copy of the README file at
***************
*** 272,281 ****
  
  PARANOID= -DPARANOID
  
! ##############################################
! # Turning off host ADDRESS checking (Optional)
  #
! # By default, the software tries to protect against hosts that pretend to
  # have someone elses host address. This is relevant for network services
  # whose authentication depends on host names, such as rsh and rlogin,
  # because the network address is used to look up the remote host name.
--- 272,281 ----
  
  PARANOID= -DPARANOID
  
! #############################################
! # Turning on host ADDRESS checking (Optional)
  #
! # Optionally, the software tries to protect against hosts that pretend to
  # have someone elses host address. This is relevant for network services
  # whose authentication depends on host names, such as rsh and rlogin,
  # because the network address is used to look up the remote host name.
***************
*** 286,295 ****
  # My site has been running rlogind and rshd daemons that implement this
  # feature for more than 2 years, and without any ill effects.
  #
! # Comment out the following definition if you do not need the additional
! # protection.
! 
! KILL_OPT= -DKILL_IP_OPTIONS
  
  ## End configuration options
  ############################
--- 286,299 ----
  # My site has been running rlogind and rshd daemons that implement this
  # feature for more than 2 years, and without any ill effects.
  #
! # This feature cannot be used with SunOS 4.x because of a kernel bug in
! # the implementation of the getsockopt() system call. Kernel panics have
! # been reported for SunOS 4.1.1 and SunOS 4.1.2. Symptoms are "BAD TRAP"
! # and "Data fault" while executing the tcp_ctloutput() kernel function.
! #
! # Uncomment the following macro definition if your getsockopt() is OK.
! #
! # KILL_OPT= -DKILL_IP_OPTIONS
  
  ## End configuration options
  ############################

exit 0 # Just in case...