From nobody@FreeBSD.org  Fri Jan  5 14:45:05 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7110416A40F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  5 Jan 2007 14:45:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 5209F13C442
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  5 Jan 2007 14:45:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l05Ej5bB003587
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 5 Jan 2007 14:45:05 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l05Ej4Gg003586;
	Fri, 5 Jan 2007 14:45:04 GMT
	(envelope-from nobody)
Message-Id: <200701051445.l05Ej4Gg003586@www.freebsd.org>
Date: Fri, 5 Jan 2007 14:45:04 GMT
From: Igor Anishchuk
To: freebsd-gnats-submit@FreeBSD.org
Subject: input string parsing mistake
X-Send-Pr-Version: www-3.0

>Number:         107565
>Category:       kern
>Synopsis:       [ipfw] [patch] input string parsing mistake
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    mlaier
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 05 14:50:14 GMT 2007
>Closed-Date:    Wed Jan 10 12:13:11 GMT 2007
>Last-Modified:  Wed Jan 10 12:13:11 GMT 2007
>Originator:     Igor Anishchuk
>Release:        FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007
>Organization:
F-Secure Corporation
>Environment:
FreeBSD fsfwc002.test 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007     anisig@fsfwc002.test:/usr/obj/usr/src/sys/FSFWC  amd64
>Description:
It is impossible to specify more than one IP-address and mask in colon-
separated form. During my investigation I've found that /xx form uses the
same dangerous parsing method and it's work relies only on atoi() behavior
hack.

As I see that the parsing works quite stupidly. It just passes entire line
after delimiter to external function (either atoi() or inet_aton()) and the
last one just can't parse the line of it contains anything else after the
current pair of address:mask.

The file in question is /usr/src/sbin/ipfw/ipfw2.c, the lines starting
from #2714.
>How-To-Repeat:
ipfw add count all from any to 192.168.0.0/24,192.168.2.0:255.255.255.0
The previous one works well. The next one doesn't.
ipfw add count all from any to 192.168.0.0:255.255.255.0,192.168.2.0:255.255.255.0

>Fix:
fsfwc002# diff /usr/src/sbin/ipfw/ipfw2.c.old /usr/src/sbin/ipfw/ipfw2.c
2722a2723,2731
>         char t[15];
>         int ti;
>
>         for(ti=0; ti<16 && p[ti] != 0; ti++){
>                 t[ti]=p[ti+1];
>                 if(t[ti] != '.' && (t[ti] < '0' || t[ti] > '9'))
>                         t[ti] = '\0';
>         }
>
2734c2743
<               if (!inet_aton(p, (struct in_addr *)&d[1]))
---
>               if (!inet_aton(t, (struct in_addr *)&d[1]))
2738c2747
<               masklen = atoi(p);
---
>               masklen = atoi(t);

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Jan 5 14:52:39 UTC 2007 
Responsible-Changed-Why:  
Reassign to ipfw team 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107565 

[linimon note: badly-formatted followup deleted; replacement is below]
 
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Fri Jan 5 17:00:32 UTC 2007 
State-Changed-Why:  
Unfortunately, you used quoted-printable to include your updated patch, 
rendering it useless to GNATS.  Can you please resend it (preferably 
also without the HTML cruft?  Often that is flagged as spam.) 

Thanks 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107565 

From: Igor Anishchuk
To: bug-followup@FreeBSD.org
Subject: Re: kern/107565: [ipfw] [patch] input string parsing mistake
Date: Fri, 5 Jan 2007 22:55:46 +0200

 Quoted-printable suxx! 3rd turn. Excuse me.
 
 This patch must be used to prevent core dumps in certain situations.

 --- /usr/src/sbin/ipfw/ipfw2.c  Fri Jan  5 17:43:25 2007
 ***************
 *** 2720,2725 ****
 --- 2720,2733 ----
         char *p = strpbrk(av, "/:,{");
         int masklen;
         char md;
 +         char t[15];
 +         int ti;
 +
 +         for (ti=0; ti<16 && p && p[ti] != 0; ti++){
 +                 t[ti]=p[ti+1];
 +                 if(t[ti] != '.' && (t[ti] < '0' || t[ti] > '9'))
 +                         t[ti] = '\0';
 +         }
 
         if (p) {
                 md = *p;
 ***************
 *** 2731,2741 ****
                 errx(EX_NOHOST, "hostname ``%s'' unknown", av);
         switch (md) {
         case ':':
 !               if (!inet_aton(p, (struct in_addr *)&d[1]))
                         errx(EX_DATAERR, "bad netmask ``%s''", p);
                 break;
         case '/':
 !               masklen = atoi(p);
                 if (masklen == 0)
                         d[1] = htonl(0);        /* mask */
                 else if (masklen > 32)
 --- 2739,2749 ----
                 errx(EX_NOHOST, "hostname ``%s'' unknown", av);
         switch (md) {
         case ':':
 !               if (!inet_aton(t, (struct in_addr *)&d[1]))
                         errx(EX_DATAERR, "bad netmask ``%s''", p);
                 break;
         case '/':
 !               masklen = atoi(t);
                 if (masklen == 0)
                         d[1] = htonl(0);        /* mask */
                 else if (masklen > 32)
 

State-Changed-From-To: feedback->open 
State-Changed-By: linimon 
State-Changed-When: Sat Jan 6 12:38:14 UTC 2007 
State-Changed-Why:  
Feedback received. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107565 
Responsible-Changed-From-To: freebsd-ipfw->mlaier 
Responsible-Changed-By: mlaier 
Responsible-Changed-When: Sat Jan 6 18:53:01 UTC 2007 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107565 

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 Igor Anishchuk@freebsd.org
Cc:  
Subject: Re: kern/107565: [ipfw] [patch] input string parsing mistake
Date: Sat, 6 Jan 2007 20:28:07 +0100

 --Boundary-00=_Jh/nF8zCnJRlVTs
 Content-Type: text/plain;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 How about this one, instead?  Doesn't do any copies and still gets to the 
 goal.  Looks good?  BTW, the unified diff format is usually preferred for 
 human consumption.
 
 --
  Max
 
 --Boundary-00=_Jh/nF8zCnJRlVTs
 Content-Type: text/x-diff;
   charset="us-ascii";
   name="ipfw_aton_atoi.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="ipfw_aton_atoi.diff"
 
 Index: ipfw2.c
 ===================================================================
 RCS file: /usr/store/mlaier/fcvs/src/sbin/ipfw/ipfw2.c,v
 retrieving revision 1.76.2.14
 diff -u -r1.76.2.14 ipfw2.c
 --- ipfw2.c	21 Oct 2006 15:59:19 -0000	1.76.2.14
 +++ ipfw2.c	6 Jan 2007 19:27:26 -0000
 @@ -2717,13 +2717,17 @@
  	 * ',' indicating another address follows, '{' indicating a
  	 * set of addresses of unspecified size.
  	 */
 -	char *p = strpbrk(av, "/:,{");
 +	char *t = NULL, *p = strpbrk(av, "/:,{");
  	int masklen;
 -	char md;
 +	char md, nd;
  
  	if (p) {
  		md = *p;
  		*p++ = '\0';
 +		if ((t = strpbrk(p, ",{")) != NULL) {
 +			nd = *t;
 +			*t = '\0';
 +		}
  	} else
  		md = '\0';
  
 @@ -2757,6 +2761,8 @@
  		break;
  	}
  	d[0] &= d[1];		/* mask base address with mask */
 +	if (t)
 +		*t = nd;
  	/* find next separator */
  	if (p)
  		p = strpbrk(p, ",{");
 
 --Boundary-00=_Jh/nF8zCnJRlVTs--

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/107565: [ipfw] [patch] input string parsing mistake
Date: Sat, 6 Jan 2007 20:48:46 +0100

 --Boundary-00=_g0/nFIOU9HMnJJ3
 Content-Type: text/plain;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 How about this one, instead?  Doesn't do any copies and still gets to the 
 goal.  Looks good?  BTW, the unified diff format is usually preferred for 
 human consumption.
 
 --
  Max
 
 --Boundary-00=_g0/nFIOU9HMnJJ3
 Content-Type: text/x-diff;
   charset="us-ascii";
   name="ipfw_aton_atoi.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="ipfw_aton_atoi.diff"
 
 Index: ipfw2.c
 ===================================================================
 RCS file: /usr/store/mlaier/fcvs/src/sbin/ipfw/ipfw2.c,v
 retrieving revision 1.76.2.14
 diff -u -r1.76.2.14 ipfw2.c
 --- ipfw2.c	21 Oct 2006 15:59:19 -0000	1.76.2.14
 +++ ipfw2.c	6 Jan 2007 19:27:26 -0000
 @@ -2717,13 +2717,17 @@
  	 * ',' indicating another address follows, '{' indicating a
  	 * set of addresses of unspecified size.
  	 */
 -	char *p = strpbrk(av, "/:,{");
 +	char *t = NULL, *p = strpbrk(av, "/:,{");
  	int masklen;
 -	char md;
 +	char md, nd;
  
  	if (p) {
  		md = *p;
  		*p++ = '\0';
 +		if ((t = strpbrk(p, ",{")) != NULL) {
 +			nd = *t;
 +			*t = '\0';
 +		}
  	} else
  		md = '\0';
  
 @@ -2757,6 +2761,8 @@
  		break;
  	}
  	d[0] &= d[1];		/* mask base address with mask */
 +	if (t)
 +		*t = nd;
  	/* find next separator */
  	if (p)
  		p = strpbrk(p, ",{");
 
 --Boundary-00=_g0/nFIOU9HMnJJ3--

From: "Anishchuk, Igor" <igor.anishchuk@f-secure.com>
To: "Max Laier" <max@love2party.net>
Cc: <bug-followup@freebsd.org>
Subject: Re[2]: kern/107565: [ipfw] [patch] input string parsing mistake
Date: Sun, 7 Jan 2007 01:57:39 +0200

 The last one works like a charm! Good job!
 
 How long will it take to commit the patch to the -STABLE?
 
 /Igor

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/107565: commit references a PR
Date: Sun,  7 Jan 2007 03:02:19 +0000 (UTC)

 mlaier      2007-01-07 03:02:02 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/ipfw            ipfw2.c 
   Log:
   Fix a parsing bug when specifying more than one address with dotted decimal
   netmask.
   
   Reported by:    Igor Anishchuk
   PR:             kern/107565
   MFC after:      3 days
   
   Revision  Changes    Path
   1.101     +8 -2      src/sbin/ipfw/ipfw2.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: mlaier 
State-Changed-When: Sun Jan 7 03:19:56 UTC 2007 
State-Changed-Why:  
Committed to HEAD, MFC due in 3 days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107565 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/107565: commit references a PR
Date: Wed, 10 Jan 2007 11:35:20 +0000 (UTC)

 mlaier      2007-01-10 11:34:52 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sbin/ipfw            ipfw2.c 
   Log:
   MFC: ipfw2.c, 1.101:
     Fix a parsing bug when specifying more than one address with dotted
     decimal netmask.
   
     Reported by:  Igor Anishchuk
     PR:           kern/107565
   
   Revision   Changes    Path
   1.76.2.15  +8 -2      src/sbin/ipfw/ipfw2.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: mlaier 
State-Changed-When: Wed Jan 10 12:12:16 UTC 2007 
State-Changed-Why:  
Committed back to RELENG_6, no further merge planned. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107565 
>Unformatted:
