[PATCH] ah/esp ipv4 fixes

Wed, 20 Mar 2002 15:45:06 -0800 

Hi,

IPv4 AH and ESP matches countain bad save() functions.
This is one variant for fixing the problems.
Testrules:
-A INPUT -p esp -m esp --espspi 234 
-A INPUT -p esp -m esp --espspi 234:345 
-A INPUT -p esp -m esp --espspi 0:345 
-A INPUT -p esp -m esp --espspi ! 234 
-A INPUT -p esp -m esp --espspi ! 234:345 
-A INPUT -p esp -m esp --espspi ! 0:345 
-A INPUT -p ah -m ah --ahspi 234 
-A INPUT -p ah -m ah --ahspi 234:345 
-A INPUT -p ah -m ah --ahspi 0:345 
-A INPUT -p ah -m ah --ahspi ! 234 
-A INPUT -p ah -m ah --ahspi ! 234:345 
-A INPUT -p ah -m ah --ahspi ! 0:345 

Another question: 
how can I specify a signed and encrypted packet? 
(Ex. SPIs AH=101 ESP=120. The packet is: IPv4-AH-ESP)

Regards,

        kisza

-- 
    Andras Kis-Szabo       Security Development, Design and Audit
-------------------------/       Zorp, NetFilter and IPv6
 [EMAIL PROTECTED] /---------------------------------------------->

diff -urN netfilter/userspace.old/extensions/libipt_ah.c netfilter/userspace/extensions/libipt_ah.c
--- netfilter/userspace.old/extensions/libipt_ah.c	Wed Mar 20 22:18:46 2002
+++ netfilter/userspace/extensions/libipt_ah.c	Thu Mar 21 00:49:14 2002
@@ -91,7 +91,7 @@
 	case '1':
 		if (*flags & AH_SPI)
 			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--spi' allowed");
+				   "Only one `--ahspi' allowed");
 		check_inverse(optarg, &invert, &optind, 0);
 		parse_ah_spis(argv[optind-1], ahinfo->spis);
 		if (invert)
@@ -152,17 +152,17 @@
 {
 	const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data;
 
-	if (ahinfo->spis[0] != 0
-	    && ahinfo->spis[1] != 0xFFFFFFFF) {
-		if (ahinfo->invflags & IPT_AH_INV_SPI)
-			printf("! ");
+	if (!(ahinfo->spis[0] == 0
+	    && ahinfo->spis[1] == 0xFFFFFFFF)) {
+		printf("--ahspi %s", 
+			(ahinfo->invflags & IPT_AH_INV_SPI) ? "! " : "");
 		if (ahinfo->spis[0]
 		    != ahinfo->spis[1])
-			printf("--spi %u-%u ",
+			printf("%u:%u ",
 			       ahinfo->spis[0],
 			       ahinfo->spis[1]);
 		else
-			printf("--spi %u ",
+			printf("%u ",
 			       ahinfo->spis[0]);
 	}
 
diff -urN netfilter/userspace.old/extensions/libipt_esp.c netfilter/userspace/extensions/libipt_esp.c
--- netfilter/userspace.old/extensions/libipt_esp.c	Wed Mar 20 22:18:46 2002
+++ netfilter/userspace/extensions/libipt_esp.c	Thu Mar 21 00:49:42 2002
@@ -91,7 +91,7 @@
 	case '1':
 		if (*flags & ESP_SPI)
 			exit_error(PARAMETER_PROBLEM,
-				   "Only one `--spi' allowed");
+				   "Only one `--espspi' allowed");
 		check_inverse(optarg, &invert, &optind, 0);
 		parse_esp_spis(argv[optind-1], espinfo->spis);
 		if (invert)
@@ -152,17 +152,17 @@
 {
 	const struct ipt_esp *espinfo = (struct ipt_esp *)match->data;
 
-	if (espinfo->spis[0] != 0
-	    && espinfo->spis[1] != 0xFFFFFFFF) {
-		if (espinfo->invflags & IPT_ESP_INV_SPI)
-			printf("! ");
+	if (!(espinfo->spis[0] == 0
+	    && espinfo->spis[1] == 0xFFFFFFFF)) {
+		printf("--espspi %s", 
+			(espinfo->invflags & IPT_ESP_INV_SPI) ? "! " : "");
 		if (espinfo->spis[0]
 		    != espinfo->spis[1])
-			printf("--spi %u-%u ",
+			printf("%u:%u ",
 			       espinfo->spis[0],
 			       espinfo->spis[1]);
 		else
-			printf("--spi %u ",
+			printf("%u ",
 			       espinfo->spis[0]);
 	}

Reply via email to