misc/107565: input string parsing mistake

Igor Anishchuk igor.anishchuk at f-secure.com
Fri Jan 5 06:50:15 PST 2007


>Number:         107565
>Category:       misc
>Synopsis:       input string parsing mistake
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 05 14:50:14 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Igor Anishchuk
>Release:        FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007
>Organization:
F-Secure Corporation
>Environment:
FreeBSD fsfwc002.test 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007     anisig at fsfwc002.test:/usr/obj/usr/src/sys/FSFWC  amd64
>Description:
It is impossible to specify more than one IP-address and mask in colon-separated form. During my investigation I've found that /xx form uses the same dangerous parsing method and it's work relies only on atoi() behavior hack.

As I see that the parsing works quite stupidly. It just passes entire line after delimiter to external function (either atoi() or inet_aton()) and the last one just can't parse the line of it contains anything else after the current pair of address:mask.

The file in question is /usr/src/sbin/ipfw/ipfw2.c, the lines starting from #2714.
>How-To-Repeat:
ipfw add count all from any to 192.168.0.0/24,192.168.2.0:255.255.255.0
The previous one works well. The next one doesn't.
ipfw add count all from any to 192.168.0.0:255.255.255.0,192.168.2.0:255.255.255.0

>Fix:
fsfwc002# diff /usr/src/sbin/ipfw/ipfw2.c.old /usr/src/sbin/ipfw/ipfw2.c
2722a2723,2731
>         char t[15];
>         int ti;
>
>         for(ti=0; ti<16 && p[ti] != 0; ti++){
>                 t[ti]=p[ti+1];
>                 if(t[ti] != '.' && (t[ti] < '0' || t[ti] > '9'))
>                         t[ti] = '\0';
>         }
>
2734c2743
<               if (!inet_aton(p, (struct in_addr *)&d[1]))
---
>               if (!inet_aton(t, (struct in_addr *)&d[1]))
2738c2747
<               masklen = atoi(p);
---
>               masklen = atoi(t);

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list