bugzilla-daemon at bugzilla.netfilter.org
2009-Feb-16 20:43 UTC
[Bug 577] New: cannot set spi/reqid numbers higher than 0x7fffffff (policy match)
http://bugzilla.netfilter.org/show_bug.cgi?id=577 Summary: cannot set spi/reqid numbers higher than 0x7fffffff (policy match) Product: iptables Version: unspecified Platform: i386 OS/Version: All Status: NEW Severity: normal Priority: P1 Component: iptables AssignedTo: laforge at netfilter.org ReportedBy: chris at linuxinfotag.de When using the -m policy match, the option argument for --spi is converted using strtol(), which returns a signed 32 bit value, so the highest positive value is 0x7fffffff. Instead strtoul() should be used. The same applies for the --reqid option argument. Setting a rule like iptables -A FORWARD -m policy --dir in --spi cafe2342 -j ACCEPT and looking at the chain afterwards will give the following Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec spi 0x7fffffff -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Feb-16 21:05 UTC
[Bug 577] cannot set spi/reqid numbers higher than 0x7fffffff (policy match)
http://bugzilla.netfilter.org/show_bug.cgi?id=577 ------- Comment #1 from chris at linuxinfotag.de 2009-02-16 22:05 ------- A internal bugzilla error just prevented me attaching a patch, so I just paste it here. diff -Nru iptables-1.4.2.orig/extensions/libipt_policy.c iptables-1.4.2/extensions/libipt_policy.c --- iptables-1.4.2.orig/extensions/libipt_policy.c 2008-10-08 18:31:58.000000000 +0200 +++ iptables-1.4.2/extensions/libipt_policy.c 2009-02-16 18:38:21.000000000 +0100 @@ -166,7 +166,7 @@ e->match.reqid = 1; e->invert.reqid = invert; - e->reqid = strtol(argv[optind-1], NULL, 10); + e->reqid = strtoul(argv[optind-1], NULL, 10); break; case '5': if (e->match.spi) @@ -175,7 +175,7 @@ e->match.spi = 1; e->invert.spi = invert; - e->spi = strtol(argv[optind-1], NULL, 0x10); + e->spi = strtoul(argv[optind-1], NULL, 0x10); break; case '6': if (e->match.saddr) -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Feb-17 18:23 UTC
[Bug 577] cannot set spi/reqid numbers higher than 0x7fffffff (policy match)
http://bugzilla.netfilter.org/show_bug.cgi?id=577 kaber at trash.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #2 from kaber at trash.net 2009-02-17 19:23 ------- Applied, thanks Christian. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.