From patchwork Wed May  8 13:08:48 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 242576
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id D99C02C0113
	for <incoming@patchwork.ozlabs.org>;
	Wed,  8 May 2013 23:09:01 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755036Ab3EHNJA (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 8 May 2013 09:09:00 -0400
Received: from mail.us.es ([193.147.175.20]:51552 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754935Ab3EHNI7 (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Wed, 8 May 2013 09:08:59 -0400
Received: (qmail 8028 invoked from network); 8 May 2013 15:08:57 +0200
Received: from unknown (HELO us.es) (192.168.2.13)
	by us.es with SMTP; 8 May 2013 15:08:57 +0200
Received: (qmail 24474 invoked by uid 507); 8 May 2013 13:08:57 -0000
X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus3 (envelope-from
	<pablo@netfilter.org>, uid 501) with qmail-scanner-2.10
	(clamdscan: 0.97.7/17169. spamassassin: 3.3.2.  
	Clear:RC:1(127.0.0.1):SA:0(-97.2/7.5):.
	Processed in 4.570227 secs); 08 May 2013 13:08:57 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus3
X-Spam-Level: 
X-Spam-Status: No, score=-97.2 required=7.5 tests=BAYES_50,RCVD_IN_PBL,
	RCVD_IN_RP_RNBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,USER_IN_WHITELIST
	autolearn=disabled version=3.3.2
X-Envelope-From: pablo@netfilter.org
Received: from unknown (HELO antivirus3) (127.0.0.1)
	by us.es with SMTP; 8 May 2013 13:08:52 -0000
Received: from 192.168.1.13 (192.168.1.13)
	by antivirus3 (F-Secure/fsigk_smtp/407/antivirus3);
	Wed, 08 May 2013 15:08:52 +0200 (CEST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/407/antivirus3)
Received: (qmail 11395 invoked from network); 8 May 2013 15:08:52 +0200
Received: from 160.86.78.188.dynamic.jazztel.es (HELO localhost.localdomain)
	(pneira@us.es@188.78.86.160)
	by us.es with SMTP; 8 May 2013 15:08:52 +0200
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: Thomas Jarosch <thomas.jarosch@intra2net.com>
Subject: [PATCH] libxtables: fix parsing of dotted network mask format
Date: Wed,  8 May 2013 15:08:48 +0200
Message-Id: <1368018528-10137-1-git-send-email-pablo@netfilter.org>
X-Mailer: git-send-email 1.7.10.4
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken:

-A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN

With iptables 1.4.18:
iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32)

This was probably broken by augmented parser.

Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 libxtables/xtoptions.c |   35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 452e0fe..37fcf53 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -667,6 +667,33 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
 	free(lo_arg);
 }
 
+static int xtopt_parse_mask(struct xt_option_call *cb)
+{
+	struct addrinfo hints = {.ai_family = afinfo->family,
+				 .ai_flags = AI_NUMERICHOST };
+	struct addrinfo *res;
+	int ret;
+
+	ret = getaddrinfo(cb->arg, NULL, &hints, &res);
+	if (ret < 0)
+		return 0;
+
+	memcpy(&cb->val.hmask, xtables_sa_host(res->ai_addr, res->ai_family),
+	       xtables_sa_hostlen(res->ai_family));
+
+	switch(afinfo->family) {
+	case AF_INET:
+		cb->val.hlen = xtables_ipmask_to_cidr(&cb->val.hmask.in);
+		break;
+	case AF_INET6:
+		cb->val.hlen = xtables_ip6mask_to_cidr(&cb->val.hmask.in6);
+		break;
+	}
+
+	freeaddrinfo(res);
+	return 1;
+}
+
 /**
  * Parse an integer and ensure it is within the address family's prefix length
  * limits. The result is stored in @cb->val.hlen.
@@ -677,12 +704,16 @@ static void xtopt_parse_plen(struct xt_option_call *cb)
 	unsigned int prefix_len = 128; /* happiness is a warm gcc */
 
 	cb->val.hlen = (afinfo->family == NFPROTO_IPV4) ? 32 : 128;
-	if (!xtables_strtoui(cb->arg, NULL, &prefix_len, 0, cb->val.hlen))
+	if (!xtables_strtoui(cb->arg, NULL, &prefix_len, 0, cb->val.hlen)) {
+		/* Is this mask expressed in full format? e.g. 255.255.255.0 */
+		if (xtopt_parse_mask(cb))
+			return;
+
 		xt_params->exit_err(PARAMETER_PROBLEM,
 			"%s: bad value for option \"--%s\", "
 			"or out of range (%u-%u).\n",
 			cb->ext_name, entry->name, 0, cb->val.hlen);
-
+	}
 	cb->val.hlen = prefix_len;
 }