netfilter buglog - Mar 2012 - [Bug 774] New: iptables-restore can't parses the quoted parameter correctly.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

           Summary: iptables-restore can't parses the quoted parameter
                    correctly.
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables-restore
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: fryasu at yahoo.co.jp
   Estimated Hours: 0.0


Created attachment 378
  --> http://bugzilla.netfilter.org/attachment.cgi?id=378
The simple patch to correct the parsing of quoted parameter.

iptables-restore can't parse the parameter which is
bundled with double-quotation character("").

for instance, the following text data was registered
by "iptables-restore -n" command.

    *filter
    -A OUTPUT -m string --string "FOOO" --algo bm -j ACCEPT
    COMMIT

Then, the contents of registration are checked by
"iptables-save" command, 

    $ iptables-save |grep string
    -A OUTPUT -m string --string "--st" --algo bm --to 65535 -j ACCEPT

the parameter "FOO" is corrupted obviously to the one
parameter before,

This seems the simple bug. I tried to make the simple
patch. If this patch become to help to you even a little,
I'm happy.

regards,

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

fryasu at yahoo.co.jp changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fryasu at yahoo.co.jp
           Platform|All                         |i386
         OS/Version|All                         |Fedora

--- Comment #1 from fryasu at yahoo.co.jp 2012-03-01 11:44:02 CET ---
My environment is gcc 4.7.0 and Fedora 17(rawhide).
Parhaps this bug depends on compiler version...

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

Peter Wu <lekensteyn at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tothandor at gmail.com

--- Comment #2 from Peter Wu <lekensteyn at gmail.com> 2012-06-25 22:38:36
CEST ---
*** Bug 790 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

Peter Wu <lekensteyn at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |lekensteyn at gmail.com

--- Comment #3 from Peter Wu <lekensteyn at gmail.com> 2012-06-25 22:41:53
CEST ---
I can confirm this issue on gcc 4.7.1 on Arch Linux. Other bug reports include
https://bugzilla.redhat.com/show_bug.cgi?id=827919.
With optimization flags -O1 or higher, this bug kicks in. It is a tricky one
that the compiler does not catch. No wonder, it is undefined behavior.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

Peter Wu <lekensteyn at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hvtaifwkbgefbaei at gmail.com

--- Comment #4 from Peter Wu <lekensteyn at gmail.com> 2012-06-25 22:57:37
CEST ---
*** Bug 782 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

Eugene Markow <ejmarkow at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ejmarkow at yahoo.com

--- Comment #5 from Eugene Markow <ejmarkow at yahoo.com> 2012-06-26
08:42:19 CEST ---
(In reply to comment #4)
> *** Bug 782 has been marked as a duplicate of this bug. ***
As noted in my comment in the duplicate Bug Report #782, I can also confirm
this issue with GCC 4.7.1 on Arch Linux x86-64. All of my system specs are
shown in that post.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

samlt <sam-nf at sltosis.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam-nf at sltosis.org

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

jamie at strandboge.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jamie at strandboge.com

--- Comment #6 from jamie at strandboge.com 2012-07-20 23:58:14 CEST ---
I can also confirm this on Ubuntu 12.10 (https://launchpad.net/bugs/1027252),
amd64 with gcc-4.7. Using the submitted patch resolves the issue. This patch is
also now included in Fedora 17 (from
https://bugzilla.redhat.com/show_bug.cgi?id=825796, see
https://admin.fedoraproject.org/updates/FEDORA-2012-10826/iptables-1.4.14-2.fc17).

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

pl.bugs2 at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pl.bugs2 at gmail.com

--- Comment #7 from pl.bugs2 at gmail.com 2012-07-22 20:09:16 CEST ---
(In reply to comment #0)
> Created attachment 378 [details]
> The simple patch to correct the parsing of quoted parameter.
> 
> iptables-restore can't parse the parameter which is
> bundled with double-quotation character("").
> 
> for instance, the following text data was registered
> by "iptables-restore -n" command.
> 
>     *filter
>     -A OUTPUT -m string --string "FOOO" --algo bm -j ACCEPT
>     COMMIT
> 
> Then, the contents of registration are checked by
> "iptables-save" command, 
> 
>     $ iptables-save |grep string
>     -A OUTPUT -m string --string "--st" --algo bm --to 65535 -j
ACCEPT
> 
> the parameter "FOO" is corrupted obviously to the one
> parameter before,
> 
> This seems the simple bug. I tried to make the simple
> patch. If this patch become to help to you even a little,
> I'm happy.
> 
> regards,
Hello,

Thank you for attaching your patch. It solves the problem for me on Debian.

Cheers.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pablo at netfilter.org

--- Comment #8 from Pablo Neira Ayuso <pablo at netfilter.org> 2012-07-23
13:24:31 CEST ---
(In reply to comment #7)
> (In reply to comment #0)
> > Created attachment 378 [details] [details]
> > The simple patch to correct the parsing of quoted parameter.
> > 
> > iptables-restore can't parse the parameter which is
> > bundled with double-quotation character("").
> > 
> > for instance, the following text data was registered
> > by "iptables-restore -n" command.
> > 
> >     *filter
> >     -A OUTPUT -m string --string "FOOO" --algo bm -j ACCEPT
> >     COMMIT
> > 
> > Then, the contents of registration are checked by
> > "iptables-save" command, 
> > 
> >     $ iptables-save |grep string
> >     -A OUTPUT -m string --string "--st" --algo bm --to 65535
-j ACCEPT
> > 
> > the parameter "FOO" is corrupted obviously to the one
> > parameter before,
> > 
> > This seems the simple bug. I tried to make the simple
> > patch. If this patch become to help to you even a little,
> > I'm happy.
> > 
> > regards,
> 
> Hello,
> 
> Thank you for attaching your patch. It solves the problem for me on Debian.
> 
> Cheers.
I'm proposing this patch instead:

marc.info/?l=netfilter-devel&m=134304022429189&w=2

If nobody complains, I'll merge it to mainstream.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
You are watching someone on the CC list of the bug.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

--- Comment #9 from Peter Wu <lekensteyn at gmail.com> 2012-07-23 13:36:46
CEST ---
If all it does it moving the param parsing to a function and thereby also
moving the declaration of param_buffer (as the commit msg and patch suggest),
then I am fine with that.

I don't think you need to ping gcc people for this, the previous behaviour
was
undefined.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
You are watching someone on the CC list of the bug.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

--- Comment #10 from Pablo Neira Ayuso <pablo at netfilter.org> 2012-07-23
15:00:15 CEST ---
(In reply to comment #9)
> If all it does it moving the param parsing to a function and thereby also
> moving the declaration of param_buffer (as the commit msg and patch
suggest),
> then I am fine with that.
> 
> I don't think you need to ping gcc people for this, the previous
behaviour was
> undefined.
Then, I'm missing anything.

I don't see any dereference to param_buffer out of the loop and add_argv.(In
reply to comment #9)
> If all it does it moving the param parsing to a function and thereby also
> moving the declaration of param_buffer (as the commit msg and patch
suggest),
> then I am fine with that.
> 
> I don't think you need to ping gcc people for this, the previous
behaviour was
> undefined.
Then, I'm really missing anything, because I still don't see why that
param_buffer needs to be declared out of the loop.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
You are watching someone on the CC list of the bug.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

--- Comment #11 from Peter Wu <lekensteyn at gmail.com> 2012-07-23
18:10:38 CEST ---
The core of this bug is essentially the same as the below code snippet:

--- BEGIN CODE ---
#include <stdio.h>

int main() {
        int i, j = 0;
        for (i = 0; i < 5; i++) {
                char x[10];
                if (i == 4) {
                        x[i] = 0;
                        printf("%s\n", x); 
                        break;
                }   
                x[j++] = '0' + i;
        }   
        return 0;
}
--- END CODE ---

You may expect "0123\n" to be printed, but if variable x is gone after
the for
compound statement in the for-loop terminates, it is not guaranteed that x
equals the x identifier from the previous iteration. I though that this was the
"correct behaviour". But then I looked in the C standard document.

The ISO/IEC 9899:1999 document[1] states:
> An iteration statement is a block whose scope is a strict subset of
> the scope of its scope of enclosing block. The loop body is also a
> block whose scope is a strict subset of the scope of the iteration
> statement.
So "x" from the above code belongs to the scope of the whole for-loop
expression (for(A;B;C)D), and not just D if I have read the standard correctly?
In that case GCC does indeed have a bug and my previous assumption was wrong.
Does anyone already have pinged GCC?

 [1]: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
You are watching someone on the CC list of the bug.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

--- Comment #12 from Peter Wu <lekensteyn at gmail.com> 2012-07-23
18:23:53 CEST ---
Giving it another thought, redeclarations in the same scope is forbidden. So I
either have skipped something in the standard or there is an undefined case.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
You are watching someone on the CC list of the bug.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

Peter Wu <lekensteyn at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #13 from Peter Wu <lekensteyn at gmail.com> 2012-08-20
17:26:46 CEST ---
Fixed in netfilter 1.4.15
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=2165f38d2582e88e8a9dd9416f34eca7a7672e5a

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
You are watching someone on the CC list of the bug.

http://bugzilla.netfilter.org/show_bug.cgi?id=774

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |spamme at ecybernard.com

--- Comment #14 from Pablo Neira Ayuso <pablo at netfilter.org> 2012-11-17
14:01:38 CET ---
*** Bug 799 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
You are watching someone on the CC list of the bug.