Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 Jan 2007 14:45:04 GMT
From:      Igor Anishchuk<igor.anishchuk@f-secure.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/107565: input string parsing mistake
Message-ID:  <200701051445.l05Ej4Gg003586@www.freebsd.org>
Resent-Message-ID: <200701051450.l05EoFqV092569@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         107565
>Category:       misc
>Synopsis:       input string parsing mistake
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 05 14:50:14 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Igor Anishchuk
>Release:        FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007
>Organization:
F-Secure Corporation
>Environment:
FreeBSD fsfwc002.test 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007     anisig@fsfwc002.test:/usr/obj/usr/src/sys/FSFWC  amd64
>Description:
It is impossible to specify more than one IP-address and mask in colon-separated form. During my investigation I've found that /xx form uses the same dangerous parsing method and it's work relies only on atoi() behavior hack.

As I see that the parsing works quite stupidly. It just passes entire line after delimiter to external function (either atoi() or inet_aton()) and the last one just can't parse the line of it contains anything else after the current pair of address:mask.

The file in question is /usr/src/sbin/ipfw/ipfw2.c, the lines starting from #2714.
>How-To-Repeat:
ipfw add count all from any to 192.168.0.0/24,192.168.2.0:255.255.255.0
The previous one works well. The next one doesn't.
ipfw add count all from any to 192.168.0.0:255.255.255.0,192.168.2.0:255.255.255.0

>Fix:
fsfwc002# diff /usr/src/sbin/ipfw/ipfw2.c.old /usr/src/sbin/ipfw/ipfw2.c
2722a2723,2731
>         char t[15];
>         int ti;
>
>         for(ti=0; ti<16 && p[ti] != 0; ti++){
>                 t[ti]=p[ti+1];
>                 if(t[ti] != '.' && (t[ti] < '0' || t[ti] > '9'))
>                         t[ti] = '\0';
>         }
>
2734c2743
<               if (!inet_aton(p, (struct in_addr *)&d[1]))
---
>               if (!inet_aton(t, (struct in_addr *)&d[1]))
2738c2747
<               masklen = atoi(p);
---
>               masklen = atoi(t);

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701051445.l05Ej4Gg003586>