netfilter buglog - Sep 2013 - [Bug 854] New: xtables_ipmask_to_cidr error code leaks into output of iptables --list

https://bugzilla.netfilter.org/show_bug.cgi?id=854

           Summary: xtables_ipmask_to_cidr error code leaks into output of
                    iptables --list
           Product: iptables
           Version: 1.4.x
          Platform: x86_64
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: e6lit7 at gmx.net
   Estimated Hours: 0.0


xtables_ipmask_to_cidr error code leaks into output of "iptables
--list" when
non-CIDR compatible masks are used:

# iptables -V
iptables v1.4.20

# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 1.0.0.0/8 -j ACCEPT
-A FORWARD -d 0.2.0.0/0.255.0.0 -j ACCEPT
-A FORWARD -d 0.0.3.0/0.0.255.0 -j ACCEPT
-A FORWARD -d 0.0.0.4/0.0.0.255 -j ACCEPT

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             1.0.0.0/8           
ACCEPT     all  --  anywhere             0.2.0.0/-1          // Error code leak
ACCEPT     all  --  anywhere             0.0.3.0/-1          // Error code leak
ACCEPT     all  --  anywhere             0.0.0.4/-1          // Error code leak

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


As far as I understand the source code, the mask should be displayed in dotted
format if CIDR format is not possible.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=854

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter at linuxace.com

--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-09-26
17:58:33 CEST ---
Not exactly an error code leak, but a signed/unsigned conversion issue.  Try
below patch (with --ignore-whitespace).

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index ef5bc07..8437baf 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1243,7 +1243,7 @@ const char *xtables_ipmask_to_numeric(const struct
in_addr *mask)
        uint32_t cidr;

        cidr = xtables_ipmask_to_cidr(mask);
-       if (cidr < 0) {
+       if (cidr == (unsigned int)-1) {
                /* mask was not a decent combination of 1's and 0's */
                sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask));
                return buf;

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=854

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-09-27
16:52:50 CEST ---
Patch applied as commit 03e22701 (libxtables: xtables_ipmask_to_numeric
incorrect with non-CIDR masks).  Closing.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.