From alex@antar.bryansk.ru  Fri Oct 29 11:05:59 2004
Return-Path: <alex@antar.bryansk.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5025A16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 29 Oct 2004 11:05:59 +0000 (GMT)
Received: from rex.antar.bryansk.ru (mx.online.bryansk.ru [195.239.214.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EC6E143D49
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 29 Oct 2004 11:05:55 +0000 (GMT)
	(envelope-from alex@antar.bryansk.ru)
Received: from [192.168.214.11] (helo=zeus.antar.bryansk.ru)
	by rex.antar.bryansk.ru with esmtp (Exim 4.42 (FreeBSD))
	id 1CNUZu-000BJK-6T
	for FreeBSD-gnats-submit@freebsd.org; Fri, 29 Oct 2004 15:05:54 +0400
Message-Id: <1099047948.0@zeus.antar.bryansk.ru>
Date: Fri, 29 Oct 2004 15:05:48 +0400
From: "Alexey V. Tolstenok <alex@antar.bryansk.ru>" <alex@antar.bryansk.ru>
To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@freebsd.org>
Subject: ipfw2 vulnerability (parser error)
X-Send-Pr-Version: gtk-send-pr 0.3.4 
X-GNATS-Notify:

>Number:         73276
>Category:       kern
>Synopsis:       [ipfw] [patch] ipfw2 vulnerability (parser error)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 29 11:10:15 GMT 2004
>Closed-Date:    Sat Feb 23 03:06:50 UTC 2008
>Last-Modified:  Sat Feb 23 03:06:50 UTC 2008
>Originator:     Alexey V. Tolstenok <alex@antar.bryansk.ru>
>Release:        FreeBSD 5.3-RC1 i386
>Organization:
Sviaz-Service-Internet 
>Environment:


System: FreeBSD 5.3-RC1 #0: Sat Oct 23 21:45:36 GMT 2004
    alex@:/usr/obj/usr/src/sys/KERNEL



>Description:


ipfw parser accepts any number of escaped closing parenthesis despite of number of opening ones


>How-To-Repeat:


Just type such string in shell prompt:
ipfw add 100 allow ip from 192.168.0.0/24\{1,2\}\}\}\}\}\}\}\}\}\} to any


>Fix:


Unknown to me


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: arved 
Responsible-Changed-When: Tue May 10 13:50:30 GMT 2005 
Responsible-Changed-Why:  
Over to ipfw mailinglist 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73276 

From: Jon Simola <jsimola@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/73276: ipfw2 vulnerability (parser error)
Date: Tue, 10 May 2005 11:45:55 -0700

 More accurately, anything after the closing '}' is ignored by the
 parser. I'm pretty sure this fixes that.
 
 --- ipfw2.c.orig        Tue May 10 08:45:12 2005
 +++ ipfw2.c     Tue May 10 09:53:08 2005
 @@ -2088,8 +2088,11 @@
                        i =3D -1;
                        if (*s =3D=3D '-')
                            i =3D a;
 -                       else if (*s =3D=3D '}')
 +                       else if (*s =3D=3D '}') {
 +                           if (strlen(s) > 1)
 +                               errx(EX_DATAERR, "trailing garbage after '}=
 '");
                            break;
 +                       }
                        av =3D s+1;
                }
                return;
 
 --=20
 Jon Simola
 Systems Administrator
 ABC Communications

From: Volker <volker@vwsoft.com>
To: bug-followup@FreeBSD.org, alex@antar.bryansk.ru
Cc:  
Subject: Re: kern/73276: [ipfw] [patch] ipfw2 vulnerability (parser error)
Date: Fri, 22 Feb 2008 21:29:58 +0100

 Alexey,
 
 I'm sorry to see your PR untouched for years. I'm really sorry for that.
 
 I've checked your problem report and was unable to reproduce the error
 you mentioned under RELENG_7:
 
 # ipfw add 100 allow ip from 192.168.0.0\{1,2\}\}\}\} to any
 00100 allow ip from 192.168.0.0/24{1,2} to any
 
 I'm wondering if you can still reproduce the error? Please report back
 if we can close this PR.
 
 Thanks!
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Sat Feb 23 03:05:03 UTC 2008 
State-Changed-Why:  
Note that submitter has been asked for feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73276 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Sat Feb 23 03:06:38 UTC 2008 
State-Changed-Why:  
Submitter's email address bounces. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73276 
>Unformatted:
