misc/107565: input string parsing mistake
Igor Anishchuk
igor.anishchuk at f-secure.com
Fri Jan 5 06:50:15 PST 2007
>Number: 107565
>Category: misc
>Synopsis: input string parsing mistake
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 05 14:50:14 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Igor Anishchuk
>Release: FreeBSD 6.2-PRERELEASE #5: Tue Jan 2 15:00:46 EET 2007
>Organization:
F-Secure Corporation
>Environment:
FreeBSD fsfwc002.test 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #5: Tue Jan 2 15:00:46 EET 2007 anisig at fsfwc002.test:/usr/obj/usr/src/sys/FSFWC amd64
>Description:
It is impossible to specify more than one IP-address and mask in colon-separated form. During my investigation I've found that /xx form uses the same dangerous parsing method and it's work relies only on atoi() behavior hack.
As I see that the parsing works quite stupidly. It just passes entire line after delimiter to external function (either atoi() or inet_aton()) and the last one just can't parse the line of it contains anything else after the current pair of address:mask.
The file in question is /usr/src/sbin/ipfw/ipfw2.c, the lines starting from #2714.
>How-To-Repeat:
ipfw add count all from any to 192.168.0.0/24,192.168.2.0:255.255.255.0
The previous one works well. The next one doesn't.
ipfw add count all from any to 192.168.0.0:255.255.255.0,192.168.2.0:255.255.255.0
>Fix:
fsfwc002# diff /usr/src/sbin/ipfw/ipfw2.c.old /usr/src/sbin/ipfw/ipfw2.c
2722a2723,2731
> char t[15];
> int ti;
>
> for(ti=0; ti<16 && p[ti] != 0; ti++){
> t[ti]=p[ti+1];
> if(t[ti] != '.' && (t[ti] < '0' || t[ti] > '9'))
> t[ti] = '\0';
> }
>
2734c2743
< if (!inet_aton(p, (struct in_addr *)&d[1]))
---
> if (!inet_aton(t, (struct in_addr *)&d[1]))
2738c2747
< masklen = atoi(p);
---
> masklen = atoi(t);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list