From owner-freebsd-bugs@FreeBSD.ORG  Wed Apr  9 03:00:34 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EABCA37B404
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  9 Apr 2003 03:00:33 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D36A143F85
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  9 Apr 2003 03:00:32 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h39A0WUp089432
	for <freebsd-bugs@freefall.freebsd.org>;
	Wed, 9 Apr 2003 03:00:32 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h39A0WVa089431;
	Wed, 9 Apr 2003 03:00:32 -0700 (PDT)
Resent-Date: Wed, 9 Apr 2003 03:00:32 -0700 (PDT)
Resent-Message-Id: <200304091000.h39A0WVa089431@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dmitry Karasik <dmitry@karasik.eu.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6302737B401
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  9 Apr 2003 02:54:23 -0700 (PDT)
Received: from raven.plab.ku.dk (raven.plab.ku.dk [130.225.107.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 616A643F85
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  9 Apr 2003 02:54:22 -0700 (PDT)
	(envelope-from dk@raven.plab.ku.dk)
Received: from raven.plab.ku.dk (localhost [127.0.0.1])
	by raven.plab.ku.dk (8.12.9/8.12.9) with ESMTP id h399sKaB012413
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 9 Apr 2003 11:54:20 +0200 (CEST)
	(envelope-from dk@raven.plab.ku.dk)
Received: (from dk@localhost)
	by raven.plab.ku.dk (8.12.9/8.12.9/Submit) id h399sKPl012412;
	Wed, 9 Apr 2003 11:54:20 +0200 (CEST)
Message-Id: <200304090954.h399sKPl012412@raven.plab.ku.dk>
Date: Wed, 9 Apr 2003 11:54:20 +0200 (CEST)
From: Dmitry Karasik <dmitry@karasik.eu.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/50749: ipfw2 incorrectly parses ports and port ranges
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Dmitry Karasik <dmitry@karasik.eu.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2003 10:00:34 -0000


>Number:         50749
>Category:       bin
>Synopsis:       ipfw2 incorrectly parses ports and port ranges
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 09 03:00:32 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Karasik
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
>Environment:
System: FreeBSD raven.plab.ku.dk 4.8-STABLE FreeBSD 4.8-STABLE #7: Mon Apr 7 13:56:46 CEST 2003 root@raven.plab.ku.dk:/usr/obj/usr/src/sys/RAVEN i386


	
>Description:

        ipfw2 ( ipfw compiled with -DIPFW2) allows multiple port ranges in a single
        rule, but parses these incorrectly. Moreover, when ipfw2 fails to parse a
        port, the port list prosessing silently stops and no error is reported.

>How-To-Repeat:

        Example: valid port name 'ftp-data' is treated incorrectly and 
                 ports 'ssh' and 'www' are silently skipped:

           Input:  ipfw add 1000 allow tcp from any to any ftp,ftp-data,ssh,www
           Output: 1000 allow tcp from any to any dst-port 21

>Fix:

	Patch to /usr/src/sbin/ipfw/ipfw2.c resolves the problem. It is based
        on a comment in ipfw2.c that states that only numeric ranges are 
        allowed. Thus, the ports ranges like 'ftp-data-30' and 'ssh-25' are 
        treated as invalid. The reverse ranges, like '225-ssh', are still valid
        though.

--- ipfw2.c.patch begins here ---
--- ipfw2.c	Wed Apr  9 11:27:10 2003
+++ /plab.ku.dk/usr/src/sbin/ipfw/ipfw2.c	Wed Apr  9 11:26:12 2003
@@ -451,7 +451,7 @@
 	/*
 	 * find separator. '\\' escapes the next char.
 	 */
-	for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\') ; s1++)
+	for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\' || *s1 == '-') ; s1++)
 		if (*s1 == '\\' && s1[1] != '\0')
 			s1++;
 
@@ -499,20 +499,29 @@
 fill_newports(ipfw_insn_u16 *cmd, char *av, int proto)
 {
 	u_int16_t *p = cmd->ports;
-	int i = 0;
-	char *s = av;
+	int i = 0, ignore_first_error = 1;
+	char *s = av, *s1;
 
 	while (*s) {
 		u_int16_t a, b;
 
+		s1 = s;
 		a = strtoport(av, &s, 0, proto);
-		if (s == av) /* no parameter */
+		if (s == av) {/* no parameter */
+		   	if ( !ignore_first_error) { 
+			   	if ( *s1 == ',') *s1++;
+				errx(EX_DATAERR,
+				    "illegal port ``%s''", s1);
+			}
 			break;
+		}
+		ignore_first_error = 0;
 		if (*s == '-') { /* a range */
 			av = s+1;
 			b = strtoport(av, &s, 0, proto);
 			if (s == av) /* no parameter */
-				break;
+				errx(EX_DATAERR,
+			    		"illegal port ``%s''", s);
 			p[0] = a;
 			p[1] = b;
 		} else if (*s == ',' || *s == '\0' ) {
--- ipfw2.c.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: