[strongSwan] Using %any as protoport

divya mohan m.divya.mohan at gmail.com
Mon Nov 12 06:27:32 CET 2012 

Hi,


In file libfreeswan/ttoprotoport.c, function ttoprotoport(),

------------------------------------------------------------------------------------------------------
/* extract protocol by trying to resolve it by name */
    protocol = getprotobyname(proto_name);
    if (protocol != NULL) {
    *proto = protocol->p_proto;
    }
    else  /* failed, now try it by number */
    {
    l = strtol(proto_name, &end, 0);

    if (*proto_name && *end)
        return "<protocol> is neither a number nor a valid name";

    if (l < 0 || l > 0xff)
            return "<protocol> must be between 0 and 255";

    *proto = (u_int8_t)l;
    }

    /* is there a port wildcard? */
    *has_port_wildcard = (strcmp(service_name, "%any") == 0);
------------------------------------------------------------------------------------------------------

In above piece of code, shouldn't comparing with "%any" be done before
checking whether protocol is a valid protocol name/number?
Say, if I have leftprotoport=%any in my config file, this function
will return with err  "<protocol> is neither a number nor a valid
name"; without modifying value of has_port_wildcard.


Now, in file starter/confread.c, function kw_end(),
------------------------------------------------------------------------------------------------------
bool has_port_wildcard;
.
.
.
    case KW_PROTOPORT:
        ugh = ttoprotoport(value, 0, &end->protocol, &end->port,
&has_port_wildcard);
        end->has_port_wildcard = has_port_wildcard;
        break;
------------------------------------------------------------------------------------------------------

the variable has_port_wildcard is not initialized, and may contain random value.

The problem I was facing is that -  initially I had a configuration
having one connection with leftprotoport=%any.
Then I added another connection, and sent 'ipsec update'. (The initial
connection configuration has not changed.)
Starter compares the configuration of first connection between old and
new config files - and erroneously reports that they are different.
(This is because bool  has_port_wildcard might have had some non zero
value), Hence the first connection gets terminated, though there is no
need for this.


Could you please check whether this is a bug.


Regards,
Divya Mohan M

More information about the Users mailing list