Re: CVS: cvs.openbsd.org: src

Tue, 04 Jul 2017 07:34:23 -0700 

Hi Tim,

Thanks for the finding! A quick fix would be to check if snaplen was previously
set and only apply the pledge if it wasn't.

Otherwise I can just revert it back. Comments?

Index: pflogd.c
===================================================================
RCS file: /cvs/src/sbin/pflogd/pflogd.c,v
retrieving revision 1.53
diff -u -p -u -r1.53 pflogd.c
--- pflogd.c    16 Jan 2016 03:17:48 -0000      1.53
+++ pflogd.c    4 Jul 2017 14:30:47 -0000
@@ -557,6 +557,7 @@ main(int argc, char **argv)
        const char *errstr = NULL;
 
        ret = 0;
+       setsnaplen = 0;
 
        closefrom(STDERR_FILENO + 1);
 
@@ -583,6 +584,7 @@ main(int argc, char **argv)
                                snaplen = DEF_SNAPLEN;
                        if (errstr)
                                snaplen = PFLOGD_MAXSNAPLEN;
+                       setsnaplen = 1;
                        break;
                case 'x':
                        Xflag = 1;
Index: pflogd.h
===================================================================
RCS file: /cvs/src/sbin/pflogd/pflogd.h,v
retrieving revision 1.5
diff -u -p -u -r1.5 pflogd.h
--- pflogd.h    10 Oct 2015 22:36:06 -0000      1.5
+++ pflogd.h    4 Jul 2017 14:30:47 -0000
@@ -47,3 +47,4 @@ void send_fd(int, int);
 int  receive_fd(int);
 
 extern int Debug;
+int setsnaplen;
Index: privsep.c
===================================================================
RCS file: /cvs/src/sbin/pflogd/privsep.c,v
retrieving revision 1.25
diff -u -p -u -r1.25 privsep.c
--- privsep.c   12 Jun 2017 23:37:44 -0000      1.25
+++ privsep.c   4 Jul 2017 14:30:47 -0000
@@ -118,8 +118,10 @@ priv_init(void)
        setproctitle("[priv]");
        close(socks[1]);
 
-       if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == -1)
-               err(1, "pledge");
+       if (setsnaplen == 0) {
+               if (pledge("stdio rpath wpath cpath sendfd proc bpf", NULL) == 
-1)
+                       err(1, "pledge");
+       }
 
        while (!gotsig_chld) {
                if (may_read(socks[0], &cmd, sizeof(int)))

On 15:49 Tue 04 Jul     , Tim van der Molen wrote:
> Ricardo Mestre (2017-06-13 01:37 +0200):
> > CVSROOT:    /cvs
> > Module name:        src
> > Changes by: mes...@cvs.openbsd.org  2017/06/12 17:37:44
> > 
> > Modified files:
> >     sbin/pflogd    : privsep.c 
> > 
> > Log message:
> > pledge(2) bpf has been in use for some time now on tcpdump(8), this will 
> > enable
> > it also for pflogd(8)'s priv proc.
> > 
> > OK deraadt@
> 
> This is a problem if the logfile has a different snaplen:
> 
> sigma:/usr/src/sbin/pflogd $ doas obj/pflogd -Ds 200
> [priv]: msg PRIV_OPEN_LOG received
> Existing file has different snaplen 160, using it
> [priv]: msg PRIV_SET_SNAPLENGTH received
> Abort trap (core dumped)
> 
> dmesg:
> 
> pflogd(27017): syscall 54 "tty"
> 
> Backtrace:
> 
> #0  0x000010e809fd8f9a in ioctl () at {standard input}:5
> #1  0x000010e817f4ee76 in pcap_setfilter (p=0x10e81e1cfe00, 
> fp=0x7f7ffffe13d0) at /usr/src/lib/libpcap/pcap-bpf.c:923
> #2  0x000010e603201624 in set_pcap_filter () at 
> /usr/src/sbin/pflogd/pflogd.c:188
> #3  0x000010e603202384 in priv_init () at /usr/src/sbin/pflogd/privsep.c:187
> #4  0x000010e603201a0b in main (argc=3, argv=0x7f7ffffe1918) at 
> /usr/src/sbin/pflogd/pflogd.c:633
> 
> /usr/src/lib/libpcap/pcap-bpf.c:923:
> 
>       } else if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
>

Reply via email to