bugzilla-daemon at netfilter.org
2013-Sep-26 14:11 UTC
[Bug 854] New: xtables_ipmask_to_cidr error code leaks into output of iptables --list
https://bugzilla.netfilter.org/show_bug.cgi?id=854 Summary: xtables_ipmask_to_cidr error code leaks into output of iptables --list Product: iptables Version: 1.4.x Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: trivial Priority: P5 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: e6lit7 at gmx.net Estimated Hours: 0.0 xtables_ipmask_to_cidr error code leaks into output of "iptables --list" when non-CIDR compatible masks are used: # iptables -V iptables v1.4.20 # iptables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -d 1.0.0.0/8 -j ACCEPT -A FORWARD -d 0.2.0.0/0.255.0.0 -j ACCEPT -A FORWARD -d 0.0.3.0/0.0.255.0 -j ACCEPT -A FORWARD -d 0.0.0.4/0.0.0.255 -j ACCEPT # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 1.0.0.0/8 ACCEPT all -- anywhere 0.2.0.0/-1 // Error code leak ACCEPT all -- anywhere 0.0.3.0/-1 // Error code leak ACCEPT all -- anywhere 0.0.0.4/-1 // Error code leak Chain OUTPUT (policy ACCEPT) target prot opt source destination As far as I understand the source code, the mask should be displayed in dotted format if CIDR format is not possible. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-26 15:58 UTC
[Bug 854] xtables_ipmask_to_cidr error code leaks into output of iptables --list
https://bugzilla.netfilter.org/show_bug.cgi?id=854 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-09-26 17:58:33 CEST --- Not exactly an error code leak, but a signed/unsigned conversion issue. Try below patch (with --ignore-whitespace). diff --git a/libxtables/xtables.c b/libxtables/xtables.c index ef5bc07..8437baf 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -1243,7 +1243,7 @@ const char *xtables_ipmask_to_numeric(const struct in_addr *mask) uint32_t cidr; cidr = xtables_ipmask_to_cidr(mask); - if (cidr < 0) { + if (cidr == (unsigned int)-1) { /* mask was not a decent combination of 1's and 0's */ sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask)); return buf; -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-27 14:52 UTC
[Bug 854] xtables_ipmask_to_cidr error code leaks into output of iptables --list
https://bugzilla.netfilter.org/show_bug.cgi?id=854 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-09-27 16:52:50 CEST --- Patch applied as commit 03e22701 (libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks). Closing. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.