netfilter buglog - Feb 2009 - [Bug 577] New: cannot set spi/reqid numbers higher than 0x7fffffff (policy match)

http://bugzilla.netfilter.org/show_bug.cgi?id=577

           Summary: cannot set spi/reqid numbers higher than 0x7fffffff
                    (policy match)
           Product: iptables
           Version: unspecified
          Platform: i386
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: iptables
        AssignedTo: laforge at netfilter.org
        ReportedBy: chris at linuxinfotag.de


When using the -m policy match, the option argument for --spi is converted
using strtol(), which returns a signed 32 bit value, so the highest
positive value is 0x7fffffff. Instead strtoul() should be used.
The same applies for the --reqid option argument.

Setting a rule like
iptables -A FORWARD -m policy --dir in --spi cafe2342 -j ACCEPT

and looking at the chain afterwards will give the following
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    policy match dir in pol ipsec spi 0x7fffffff


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=577





------- Comment #1 from chris at linuxinfotag.de  2009-02-16 22:05 -------
A internal bugzilla error just prevented me attaching a patch,
so I just paste it here.


diff -Nru iptables-1.4.2.orig/extensions/libipt_policy.c
iptables-1.4.2/extensions/libipt_policy.c
--- iptables-1.4.2.orig/extensions/libipt_policy.c      2008-10-08
18:31:58.000000000 +0200
+++ iptables-1.4.2/extensions/libipt_policy.c   2009-02-16 18:38:21.000000000
+0100
@@ -166,7 +166,7 @@

                e->match.reqid = 1;
                e->invert.reqid = invert;
-               e->reqid = strtol(argv[optind-1], NULL, 10);
+               e->reqid = strtoul(argv[optind-1], NULL, 10);
                break;
        case '5':
                if (e->match.spi)
@@ -175,7 +175,7 @@

                e->match.spi = 1;
                e->invert.spi = invert;
-               e->spi = strtol(argv[optind-1], NULL, 0x10);
+               e->spi = strtoul(argv[optind-1], NULL, 0x10);
                break;
        case '6':
                if (e->match.saddr)


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.netfilter.org/show_bug.cgi?id=577


kaber at trash.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Comment #2 from kaber at trash.net  2009-02-17 19:23 -------
Applied, thanks Christian.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.