Date: Fri, 5 Jan 2007 16:30:22 GMT From: "Anishchuk, Igor" <igor.anishchuk@f-secure.com> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/107565: input string parsing mistake Message-ID: <200701051630.l05GUMGZ002722@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/107565; it has been noted by GNATS.
From: "Anishchuk, Igor" <igor.anishchuk@f-secure.com>
To: <bug-followup@FreeBSD.org>,
"Anishchuk, Igor" <igor.anishchuk@f-secure.com>
Cc:
Subject: Re: kern/107565: input string parsing mistake
Date: Fri, 5 Jan 2007 17:53:27 +0200
This is a multi-part message in MIME format.
------_=_NextPart_001_01C730E1.AA867EB0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hello!
=20
I've found a little mistake in my workaround. The line
for(ti=3D0; ti<16 && p[ti] !=3D 0; ti++){
should be
for (ti=3D0; ti<16 && p && p[ti] !=3D 0; ti++){
=20
Please change is ASAP otherwise segmentation fault will happen in some
conditions.
=20
The complete, tested patch is:
=20
--- /usr/src/sbin/ipfw/ipfw2.c Fri Jan 5 17:43:25 2007
***************
*** 2720,2725 ****
--- 2720,2733 ----
char *p =3D strpbrk(av, "/:,{");
int masklen;
char md;
+ char t[15];
+ int ti;
+
+ for (ti=3D0; ti<16 && p && p[ti] !=3D 0; ti++){
+ t[ti]=3Dp[ti+1];
+ if(t[ti] !=3D '.' && (t[ti] < '0' || t[ti] > '9'))
+ t[ti] =3D '\0';
+ }
=20
if (p) {
md =3D *p;
***************
*** 2731,2741 ****
errx(EX_NOHOST, "hostname ``%s'' unknown", av);
switch (md) {
case ':':
! if (!inet_aton(p, (struct in_addr *)&d[1]))
errx(EX_DATAERR, "bad netmask ``%s''", p);
break;
case '/':
! masklen =3D atoi(p);
if (masklen =3D=3D 0)
d[1] =3D htonl(0); /* mask */
else if (masklen > 32)
--- 2739,2749 ----
errx(EX_NOHOST, "hostname ``%s'' unknown", av);
switch (md) {
case ':':
! if (!inet_aton(t, (struct in_addr *)&d[1]))
errx(EX_DATAERR, "bad netmask ``%s''", p);
break;
case '/':
! masklen =3D atoi(t);
if (masklen =3D=3D 0)
d[1] =3D htonl(0); /* mask */
else if (masklen > 32)
=20
Thanks!
--
Igor Anishchuk, F-Secure Corporation, Senior Systems Architect
tel: +358 925205734, mobile: +358 408393620, fax: +358 925205015
mailto:igor.anishchuk@f-secure.com <mailto:igor.anishchuk@f-secure.com> =
,
WWW: http://www.f-secure.com <http://www.f-secure.com>=20
BE SURE.
=20
------_=_NextPart_001_01C730E1.AA867EB0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">;
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DRU link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>Hello!<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>I’ve found a little mistake in my =
workaround. The
line<o:p></o:p></span></font></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dred face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:red;
font-weight:bold'>for(ti=3D0; ti<16 && p[ti] !=3D 0; =
ti++){<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>should be<o:p></o:p></span></font></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>for (ti=3D0; ti<16 && p && p[ti] =
!=3D 0;
ti++){<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>Please change is ASAP otherwise segmentation =
fault
will happen in some conditions.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>The complete, tested patch =
is:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>--- /usr/src/sbin/ipfw/ipfw2.c Fri Jan 5 =
17:43:25
2007<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>***************<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>*** 2720,2725 ****<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>--- 2720,2733 ----<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> char *p =3D
strpbrk(av, "/:,{");<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> int =
masklen;<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> char =
md;<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+ char =
t[15];<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+ int =
ti;<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+ for =
(ti=3D0;
ti<16 && p && p[ti] !=3D 0; =
ti++){<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DDE style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+ =
t[ti]=3Dp[ti+1];<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DDE style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+ =
if(t[ti] !=3D '.' && (t[ti] < '0' || t[ti] > =
'9'))<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+ =
&=
nbsp;
t[ti] =3D '\0';<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>+ =
}<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'><o:p> </o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> if (p) =
{<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
md =3D *p;<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>***************<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>*** 2731,2741 ****<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
errx(EX_NOHOST, "hostname ``%s'' unknown", =
av);<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> switch (md) =
{<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> case =
':':<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>! =
if (!inet_aton(p, (struct in_addr =
*)&d[1]))<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp; &n=
bsp;
errx(EX_DATAERR, "bad netmask ``%s''", =
p);<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
break;<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> case =
'/':<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>! =
masklen =3D atoi(p);<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
if (masklen =3D=3D 0)<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp; &n=
bsp;
d[1] =3D htonl(0); /* mask =
*/<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
else if (masklen > 32)<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>--- 2739,2749 ----<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
errx(EX_NOHOST, "hostname ``%s'' unknown", =
av);<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> switch (md) =
{<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> case =
':':<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>! =
if (!inet_aton(t, (struct in_addr =
*)&d[1]))<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp; &n=
bsp;
errx(EX_DATAERR, "bad netmask ``%s''", =
p);<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
break;<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> case =
'/':<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'>! =
masklen =3D atoi(t);<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
if (masklen =3D=3D 0)<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp; &n=
bsp;
d[1] =3D htonl(0); /* mask =
*/<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><b><font size=3D2 color=3Dgreen face=3D"Courier =
New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New";color:green;
font-weight:bold'> &=
nbsp;
else if (masklen > 32)<o:p></o:p></span></font></b></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>Thanks!<o:p></o:p></span></font></p>
<p><font size=3D2 face=3D"Courier New"><span lang=3DEN-US =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>--<br>
Igor Anishchuk, F-Secure Corporation, Senior Systems =
Architect<br>
tel: +358 925205734, mobile: +358 408393620, fax: +358 925205015<br>
</span></font><a href=3D"mailto:igor.anishchuk@f-secure.com"><font =
size=3D2
color=3Dblack face=3D"Courier New"><span lang=3DEN-US =
style=3D'font-size:10.0pt;
font-family:"Courier =
New";color:black'>mailto:igor.anishchuk@f-secure.com</span></font></a><fo=
nt
size=3D2 face=3D"Courier New"><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:
"Courier New"'>, WWW: </span></font><a =
href=3D"http://www.f-secure.com"><font
size=3D2 color=3Dblack face=3D"Courier New"><span lang=3DEN-US =
style=3D'font-size:10.0pt;
font-family:"Courier =
New";color:black'>http://www.f-secure.com</span></font></a><span
lang=3DEN-US><br>
</span><strong><b><font size=3D2 face=3D"Courier New"><span lang=3DEN-US
style=3D'font-size:10.0pt;font-family:"Courier New"'>BE =
SURE.</span></font></b></strong><span
lang=3DEN-US><o:p></o:p></span></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C730E1.AA867EB0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701051630.l05GUMGZ002722>