[server] make IPT_INPUT_ACCESS validation more strict on allowed chars
authorMichael Rash <mbr@cipherdyne.org>
Mon, 5 Aug 2013 03:20:53 +0000 (23:20 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Mon, 5 Aug 2013 03:20:53 +0000 (23:20 -0400)
server/fw_util_iptables.c
test/tests/basic_operations.pl

index 6456122..2b05415 100644 (file)
@@ -729,6 +729,17 @@ set_fw_chain_conf(const int type, const char * const conf_str)
                 tbuf[i++] = *ndx;
         }
         ndx++;
+        if(*ndx != '\0'
+                && *ndx != ' '
+                && *ndx != ','
+                && *ndx != '_'
+                && isalnum(*ndx) == 0)
+        {
+            log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+                "invalid character '%c' for chain type %i, "
+                "line: %s", *ndx, type, conf_str);
+            return 0;
+        }
     }
 
     /* Sanity check - j should be the number of chain fields
@@ -736,9 +747,9 @@ set_fw_chain_conf(const int type, const char * const conf_str)
     */
     if(j != FW_NUM_CHAIN_FIELDS)
     {
-        log_msg(LOG_ERR, "[*] Custom Chain config parse error.\n"
-            "Wrong number of fields for chain type %i\n"
-            "Line: %s", type, conf_str);
+        log_msg(LOG_ERR, "[*] Custom Chain config parse error: "
+            "wrong number of fields for chain type %i, "
+            "line: %s", type, conf_str);
         return 0;
     }
 
index 83a72ce..9717b4a 100644 (file)
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/Wrong\snumber\sof\sfields/],
+        'positive_output_matches' => [qr/wrong\snumber\sof\sfields/i],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain5'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid.*position/],
+        'positive_output_matches' => [qr/invalid\scharacter/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },
             "$fwknopdCmd -c $cf{'invalid_ipt_input_chain6'} -a $cf{'def_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'function' => \&generic_exec,
-        'positive_output_matches' => [qr/invalid.*position/],
+        'positive_output_matches' => [qr/invalid\scharacter/],
         'exec_err' => $YES,
         'fatal'    => $NO
     },