misc/107565: input string parsing mistake

Igor Anishchuk igor.anishchuk at f-secure.com
Fri Jan 5 06:50:15 PST 2007

>Number:         107565
>Category:       misc
>Synopsis:       input string parsing mistake
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 05 14:50:14 GMT 2007
>Originator:     Igor Anishchuk
>Release:        FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007
F-Secure Corporation
FreeBSD fsfwc002.test 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #5: Tue Jan  2 15:00:46 EET 2007     anisig at fsfwc002.test:/usr/obj/usr/src/sys/FSFWC  amd64
It is impossible to specify more than one IP-address and mask in colon-separated form. During my investigation I've found that /xx form uses the same dangerous parsing method and it's work relies only on atoi() behavior hack.

As I see that the parsing works quite stupidly. It just passes entire line after delimiter to external function (either atoi() or inet_aton()) and the last one just can't parse the line of it contains anything else after the current pair of address:mask.

The file in question is /usr/src/sbin/ipfw/ipfw2.c, the lines starting from #2714.
ipfw add count all from any to,
The previous one works well. The next one doesn't.
ipfw add count all from any to,

fsfwc002# diff /usr/src/sbin/ipfw/ipfw2.c.old /usr/src/sbin/ipfw/ipfw2.c
>         char t[15];
>         int ti;
>         for(ti=0; ti<16 && p[ti] != 0; ti++){
>                 t[ti]=p[ti+1];
>                 if(t[ti] != '.' && (t[ti] < '0' || t[ti] > '9'))
>                         t[ti] = '\0';
>         }
<               if (!inet_aton(p, (struct in_addr *)&d[1]))
>               if (!inet_aton(t, (struct in_addr *)&d[1]))
<               masklen = atoi(p);
>               masklen = atoi(t);


More information about the freebsd-bugs mailing list