From dk@raven.plab.ku.dk  Wed Apr  9 02:54:23 2003
Return-Path: <dk@raven.plab.ku.dk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6302737B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Apr 2003 02:54:23 -0700 (PDT)
Received: from raven.plab.ku.dk (raven.plab.ku.dk [130.225.107.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 616A643F85
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Apr 2003 02:54:22 -0700 (PDT)
	(envelope-from dk@raven.plab.ku.dk)
Received: from raven.plab.ku.dk (localhost [127.0.0.1])
	by raven.plab.ku.dk (8.12.9/8.12.9) with ESMTP id h399sKaB012413
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 9 Apr 2003 11:54:20 +0200 (CEST)
	(envelope-from dk@raven.plab.ku.dk)
Received: (from dk@localhost)
	by raven.plab.ku.dk (8.12.9/8.12.9/Submit) id h399sKPl012412;
	Wed, 9 Apr 2003 11:54:20 +0200 (CEST)
Message-Id: <200304090954.h399sKPl012412@raven.plab.ku.dk>
Date: Wed, 9 Apr 2003 11:54:20 +0200 (CEST)
From: Dmitry Karasik <dmitry@karasik.eu.org>
Reply-To: Dmitry Karasik <dmitry@karasik.eu.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfw2 incorrectly parses ports and port ranges
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         50749
>Category:       bin
>Synopsis:       [ipfw] [patch] ipfw2 incorrectly parses ports and port ranges
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 09 03:00:32 PDT 2003
>Closed-Date:    Thu Jan 31 16:00:18 UTC 2008
>Last-Modified:  Thu Jan 31 16:00:18 UTC 2008
>Originator:     Dmitry Karasik
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
>Environment:
System: FreeBSD raven.plab.ku.dk 4.8-STABLE FreeBSD 4.8-STABLE #7: Mon Apr 7 13:56:46 CEST 2003 root@raven.plab.ku.dk:/usr/obj/usr/src/sys/RAVEN i386


	
>Description:

        ipfw2 ( ipfw compiled with -DIPFW2) allows multiple port ranges in a single
        rule, but parses these incorrectly. Moreover, when ipfw2 fails to parse a
        port, the port list prosessing silently stops and no error is reported.

>How-To-Repeat:

        Example: valid port name 'ftp-data' is treated incorrectly and 
                 ports 'ssh' and 'www' are silently skipped:

           Input:  ipfw add 1000 allow tcp from any to any ftp,ftp-data,ssh,www
           Output: 1000 allow tcp from any to any dst-port 21

>Fix:

	Patch to /usr/src/sbin/ipfw/ipfw2.c resolves the problem. It is based
        on a comment in ipfw2.c that states that only numeric ranges are 
        allowed. Thus, the ports ranges like 'ftp-data-30' and 'ssh-25' are 
        treated as invalid. The reverse ranges, like '225-ssh', are still valid
        though.

--- ipfw2.c.patch begins here ---
--- ipfw2.c	Wed Apr  9 11:27:10 2003
+++ /plab.ku.dk/usr/src/sbin/ipfw/ipfw2.c	Wed Apr  9 11:26:12 2003
@@ -451,7 +451,7 @@
 	/*
 	 * find separator. '\\' escapes the next char.
 	 */
-	for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\') ; s1++)
+	for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\' || *s1 == '-') ; s1++)
 		if (*s1 == '\\' && s1[1] != '\0')
 			s1++;
 
@@ -499,20 +499,29 @@
 fill_newports(ipfw_insn_u16 *cmd, char *av, int proto)
 {
 	u_int16_t *p = cmd->ports;
-	int i = 0;
-	char *s = av;
+	int i = 0, ignore_first_error = 1;
+	char *s = av, *s1;
 
 	while (*s) {
 		u_int16_t a, b;
 
+		s1 = s;
 		a = strtoport(av, &s, 0, proto);
-		if (s == av) /* no parameter */
+		if (s == av) {/* no parameter */
+		   	if ( !ignore_first_error) { 
+			   	if ( *s1 == ',') *s1++;
+				errx(EX_DATAERR,
+				    "illegal port ``%s''", s1);
+			}
 			break;
+		}
+		ignore_first_error = 0;
 		if (*s == '-') { /* a range */
 			av = s+1;
 			b = strtoport(av, &s, 0, proto);
 			if (s == av) /* no parameter */
-				break;
+				errx(EX_DATAERR,
+			    		"illegal port ``%s''", s);
 			p[0] = a;
 			p[1] = b;
 		} else if (*s == ',' || *s == '\0' ) {
--- ipfw2.c.patch ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Sun Apr 13 15:00:31 PDT 2003 
Responsible-Changed-Why:  
Another PR for the ipfw list. Contains a patch for review. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50749 

From: Luigi Rizzo <rizzo@icir.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/50749: ipfw2 incorrectly parses ports and port ranges
Date: Sat, 28 Jun 2003 09:25:34 -0700

 as the ipfw manpage says, dashes in service names must be
 escaped by a backslash (which in the shell must be escaped by
 a backslash, so you have to write
 
 	ipfw add 1000 allow tcp from any to any ftp,ftp\\-data,ssh,www
 
 to make it work). So that part of the patch certainly does not
 apply. I agree that the parser should not silently drop the
 remaining of the string in case of an error.
 
 	cheers
 	luigi

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, dmitry@karasik.eu.org
Cc:  
Subject: Re: bin/50749: [ipfw] [patch] ipfw2 incorrectly parses ports and
 port ranges
Date: Thu, 31 Jan 2008 13:50:29 +0100

 Correct behavior on RELENG_7 (7.0-PRE) and 6.2-STABLE:
 
 # ipfw add 1000 allow tcp from any to any ftp,ftp\\-data,ssh,www
 01000 allow tcp from any to any dst-port 21,20,22,80
 # ipfw list
 01000 allow tcp from any to any dst-port 21,20,22,80
 65535 deny ip from any to any
 
 As this problem is not reproduceable anymore, I suggest to close this PR.

From: Dmitry Karasik <dmitry@karasik.eu.org>
To: Volker <volker@vwsoft.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/50749: [ipfw] [patch] ipfw2 incorrectly parses ports and port ranges
Date: Thu, 31 Jan 2008 15:14:23 +0100

 On Thu, Jan 31, 2008 at 01:50:29PM +0100, Volker wrote:
 > As this problem is not reproduceable anymore, I suggest to close this PR.
 
 Yes, please do so.
 
 -- 
 Sincerely,
 	Dmitry Karasik
 
State-Changed-From-To: open->closed 
State-Changed-By: gavin 
State-Changed-When: Thu Jan 31 15:59:12 UTC 2008 
State-Changed-Why:  
Submitter confirms this can be closed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=50749 
>Unformatted:
