[strongSwan] Using %any as protoport

Andreas Steffen andreas.steffen at strongswan.org
Mon Nov 12 09:19:18 CET 2012


Hello Divya,

with strongSwan 5.0, the libfreeswan code has been removed from
our distribution and is not maintained any more. Please update
to our latest strongswan-5.0.1 release which offers the same
IKEv1 functionality but with [hopefully] superior code.

Best regards

Andreas

On 12.11.2012 06:27, divya mohan wrote:
> Hi,
> 
> 
> In file libfreeswan/ttoprotoport.c, function ttoprotoport(),
> 
> ------------------------------------------------------------------------------------------------------
> /* extract protocol by trying to resolve it by name */
>     protocol = getprotobyname(proto_name);
>     if (protocol != NULL) {
>     *proto = protocol->p_proto;
>     }
>     else  /* failed, now try it by number */
>     {
>     l = strtol(proto_name, &end, 0);
> 
>     if (*proto_name && *end)
>         return "<protocol> is neither a number nor a valid name";
> 
>     if (l < 0 || l > 0xff)
>             return "<protocol> must be between 0 and 255";
> 
>     *proto = (u_int8_t)l;
>     }
> 
>     /* is there a port wildcard? */
>     *has_port_wildcard = (strcmp(service_name, "%any") == 0);
> ------------------------------------------------------------------------------------------------------
> 
> In above piece of code, shouldn't comparing with "%any" be done before
> checking whether protocol is a valid protocol name/number?
> Say, if I have leftprotoport=%any in my config file, this function
> will return with err  "<protocol> is neither a number nor a valid
> name"; without modifying value of has_port_wildcard.
> 
> 
> Now, in file starter/confread.c, function kw_end(),
> ------------------------------------------------------------------------------------------------------
> bool has_port_wildcard;
> .
> .
> .
>     case KW_PROTOPORT:
>         ugh = ttoprotoport(value, 0, &end->protocol, &end->port,
> &has_port_wildcard);
>         end->has_port_wildcard = has_port_wildcard;
>         break;
> ------------------------------------------------------------------------------------------------------
> 
> the variable has_port_wildcard is not initialized, and may contain random value.
> 
> The problem I was facing is that -  initially I had a configuration
> having one connection with leftprotoport=%any.
> Then I added another connection, and sent 'ipsec update'. (The initial
> connection configuration has not changed.)
> Starter compares the configuration of first connection between old and
> new config files - and erroneously reports that they are different.
> (This is because bool  has_port_wildcard might have had some non zero
> value), Hence the first connection gets terminated, though there is no
> need for this.
> 
> 
> Could you please check whether this is a bug.
> 
> 
> Regards,
> Divya Mohan M
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121112/ecbbf4e2/attachment.bin>


More information about the Users mailing list