From jeremyp@gsmx07.alcatel.com.au Mon Jun 28 14:58:37 1999
Return-Path: <jeremyp@gsmx07.alcatel.com.au>
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
	by hub.freebsd.org (Postfix) with ESMTP id 72F3314CBB
	for <FreeBSD-gnats-submit@FreeBSD.ORG>; Mon, 28 Jun 1999 14:58:29 -0700 (PDT)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: by border.alcanet.com.au id <40325>; Tue, 29 Jun 1999 07:41:08 +1000
Message-Id: <99Jun29.074108est.40325@border.alcanet.com.au>
Date: Tue, 29 Jun 1999 06:44:07 +1000
From: peter.jeremy@alcatel.com.au
Sender: jeremyp@gsmx07.alcatel.com.au
Reply-To: peter.jeremy@alcatel.com.au
To: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Off-by-1 error and incorrect man page for /usr/sbin/ppp
X-Send-Pr-Version: 3.2

>Number:         12437
>Category:       bin
>Synopsis:       Off-by-1 error and incorrect man page for /usr/sbin/ppp
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 28 15:00:02 PDT 1999
>Closed-Date:    Mon Jul 26 04:15:26 PDT 1999
>Last-Modified:  Mon Jul 26 04:15:50 PDT 1999
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Alcatel Australia Limited
>Environment:

	-current as of cvs-cur 5429

>Description:

	1) When a `filter' entry is validated, the filter number is
	   range-checked in filter.c:Parse().  Currently, the check
	   allows filter numbers 0 through MAXFILTERS (40) inclusive,
	   although the actual array is MAXFILTERS long.

	2) The man page states that the filter number should be
	   between 0 and 19 (though it later states 40 filters are
	   allowed).  The 19 should be 39 to match the (corrected) code.

	3) The man page does not document the `clear' option, which
	   allows a specific filter number to be deleted.

>How-To-Repeat:

	The problems were all found via code inspection, however the
	first problem should show up by using a configuration file
	entry along the lines of
	  set filter in 40 permit 193.21.10.30/31 139.188.0.0/16
	which should be rejected

>Fix:
	
Index: filter.c
===================================================================
RCS file: /home/CVSROOT/./src/usr.sbin/ppp/filter.c,v
retrieving revision 1.30
diff -u -r1.30 filter.c
--- filter.c	1999/06/23 16:48:21	1.30
+++ filter.c	1999/06/28 14:56:41
@@ -306,7 +306,7 @@
   struct filterent filterdata;
 
   val = strtol(*argv, &wp, 0);
-  if (*argv == wp || val > MAXFILTERS) {
+  if (*argv == wp || val >= MAXFILTERS) {
     log_Printf(LogWARN, "Parse: invalid filter number.\n");
     return (0);
   }
Index: ppp.8
===================================================================
RCS file: /home/CVSROOT/./src/usr.sbin/ppp/ppp.8,v
retrieving revision 1.177
diff -u -r1.177 ppp.8
--- ppp.8	1999/06/23 16:48:24	1.177
+++ ppp.8	1999/06/28 14:56:42
@@ -1424,7 +1424,7 @@
 is a numeric value between
 .Sq 0
 and
-.Sq 19
+.Sq 39
 specifying the rule number.  Rules are specified in numeric order according to
 .Ar rule-no ,
 but only if rule
@@ -1438,6 +1438,10 @@
 .Sq deny .
 If a given packet
 matches the rule, the associated action is taken immediately.
+.Ar Action
+can also be specified as
+.Sq clear
+to clear the action associated with that particular rule.
 .It
 .Op Ar src_addr Ns Op / Ns Ar width
 and


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->brian 
Responsible-Changed-By: hoek 
Responsible-Changed-When: Sun Jul 4 05:03:55 PDT 1999 
Responsible-Changed-Why:  
src/usr.bin/ppp/Makefile contains MAINTAINER=brian@FreeBSD.org, so he's 
got the fortunate responsibility of fixing this PR, too.  :-) 

The PR includes a simple patch, incidentally. 
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Mon Jul 26 04:15:26 PDT 1999 
State-Changed-Why:  
Patches applied to -current.  Thanks. 
>Unformatted:
