diff options
| author | Cedric Berger <cedric@cvs.openbsd.org> | 2003-01-10 14:21:22 +0000 |
|---|---|---|
| committer | Cedric Berger <cedric@cvs.openbsd.org> | 2003-01-10 14:21:22 +0000 |
| commit | 9a822f4f2525d4471a85c3f91bfcc161758bf7ad (patch) | |
| tree | 8618aee58275fc5b28f09b1bb3cbf6b4019248bf | |
| parent | 6c265b531e61afb02271ac6ff0b8d4f1cd4e6dd4 (diff) | |
Be a bit more strict when parsing options.
Disallow "pfctl -s rabbits" and friends.
ok dhartmei@
| -rw-r--r-- | sbin/pfctl/pfctl.c | 68 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_table.c | 48 |
2 files changed, 72 insertions, 44 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 50b3689dfd2..0b4a5ce6062 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.129 2003/01/09 18:55:32 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.130 2003/01/10 14:21:21 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -49,6 +49,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <assert.h> #include "pfctl_parser.h" #include "pfctl.h" @@ -77,6 +78,7 @@ int pfctl_clear_rule_counters(int, int); int pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t); int pfctl_test_altqsupport(int, int); int pfctl_show_anchors(int, int); +char *pfctl_lookup_option(char *, char **); char *clearopt; char *rulesopt; @@ -158,6 +160,25 @@ static const struct { { NULL, NULL } }; +static char *clearopt_list[] = { + "nat", "queue", "rules", "state", "info", "Tables", "all", NULL +}; + +static char *showopt_list[] = { + "nat", "queue", "rules", "anchors", "state", "info", "labels", + "timeouts", "memory", "Tables", "all", NULL +}; + +static char *tblcmdopt_list[] = { + "create", "kill", "flush", "add", "delete", "replace", "show", + "test", "zero", NULL +}; + +static char *debugopt_list[] = { + "none", "urgent", "misc", NULL +}; + + void usage(void) { @@ -1211,6 +1232,18 @@ pfctl_show_anchors(int dev, int opts) return (0); } +char * +pfctl_lookup_option(char *cmd, char **list) +{ + if (cmd != NULL && *cmd) + for (; *list; list++) + if (!strncmp(cmd, *list, strlen(cmd))) + return (*list); + return (NULL); +} + + + int main(int argc, char *argv[]) { @@ -1241,7 +1274,11 @@ main(int argc, char *argv[]) opts |= PF_OPT_QUIET; break; case 'F': - clearopt = optarg; + clearopt = pfctl_lookup_option(optarg, clearopt_list); + if (clearopt == NULL) { + warnx("Unknown flush modifier '%s'", optarg); + usage(); + } mode = O_RDWR; break; case 'k': @@ -1280,13 +1317,21 @@ main(int argc, char *argv[]) loadopt |= PFCTL_FLAG_OPTION; break; case 's': - showopt = optarg; + showopt = pfctl_lookup_option(optarg, showopt_list); + if (showopt == NULL) { + warnx("Unknown show modifier '%s'", optarg); + usage(); + } break; case 't': tableopt = optarg; break; case 'T': - tblcmdopt = optarg; + tblcmdopt = pfctl_lookup_option(optarg, tblcmdopt_list); + if (tblcmdopt == NULL) { + warnx("Unknown table command '%s'", optarg); + usage(); + } break; case 'v': if (opts & PF_OPT_VERBOSE) @@ -1294,7 +1339,11 @@ main(int argc, char *argv[]) opts |= PF_OPT_VERBOSE; break; case 'x': - debugopt = optarg; + debugopt = pfctl_lookup_option(optarg, debugopt_list); + if (debugopt == NULL) { + warnx("Unknown debug level '%s'", optarg); + usage(); + } mode = O_RDWR; break; case 'z': @@ -1407,8 +1456,7 @@ main(int argc, char *argv[]) pfctl_clear_tables(opts); break; default: - warnx("Unknown flush modifier '%s'", clearopt); - error = 1; + assert(0); } } if (state_killers) @@ -1468,8 +1516,7 @@ main(int argc, char *argv[]) pfctl_show_tables(opts); break; default: - warnx("Unknown show modifier '%s'", showopt); - error = 1; + assert(0); } } @@ -1489,8 +1536,7 @@ main(int argc, char *argv[]) pfctl_debug(dev, PF_DEBUG_MISC, opts); break; default: - warnx("Unknown debug level '%s'", debugopt); - error = 1; + assert(0); } } diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c index 77a3bf5e9bd..dc1724e351f 100644 --- a/sbin/pfctl/pfctl_table.c +++ b/sbin/pfctl/pfctl_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_table.c,v 1.15 2003/01/09 18:59:02 dhartmei Exp $ */ +/* $OpenBSD: pfctl_table.c,v 1.16 2003/01/10 14:21:21 cedric Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -81,21 +81,6 @@ static union { static int size, msize, ticket, inactive; extern char *__progname; -static char *commands[] = { - "-F", /* pfctl -F tables: flush all tables */ - "-s", /* pfctl -s tables: show all tables */ - "create", /* create a new table */ - "kill", /* kill a table */ - "flush", /* flush all addresses of a table */ - "add", /* add one or more addresses in a table */ - "delete", /* delete one or more addresses from a table */ - "replace", /* replace the addresses of the table */ - "show", /* show the content (addresses) of a table */ - "test", /* test if the given addresses match a table */ - "zero", /* clear all the statistics of a table */ - NULL -}; - static char *stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = { { "In/Block:", "In/Pass:", "In/XPass:" }, { "Out/Block:", "Out/Pass:", "Out/XPass:" } @@ -137,14 +122,10 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, char *file, int opts) { struct pfr_table table; - char **p; int nadd = 0, ndel = 0, nchange = 0, nzero = 0; int i, flags = 0, nmatch = 0; - for (p = commands; *p != NULL; p++) - if (!strncmp(command, *p, strlen(command))) - break; - if (*p == NULL) + if (command == NULL) usage(); if (opts & PF_OPT_NOACTION) flags |= PFR_FLAG_DUMMY; @@ -156,14 +137,14 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) errx(1, "pfctl_table: strlcpy"); } - if (!strcmp(*p, "-F")) { + if (!strcmp(command, "-F")) { if (argc || file != NULL) usage(); RVTEST(pfr_clr_tables(&ndel, flags)); if (!(opts & PF_OPT_QUIET)) fprintf(stderr, "%d tables deleted%s.\n", ndel, DUMMY); - } else if (!strcmp(*p, "-s")) { + } else if (!strcmp(command, "-s")) { if (argc || file != NULL) usage(); for (;;) { @@ -188,27 +169,27 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, else print_table(buffer.tables+i, opts & PF_OPT_VERBOSE); - } else if (!strcmp(*p, "create")) { + } else if (!strcmp(command, "create")) { if (argc || file != NULL) usage(); table.pfrt_flags = PFR_TFLAG_PERSIST; RVTEST(pfr_add_tables(&table, 1, &nadd, flags)); if (!(opts & PF_OPT_QUIET)) fprintf(stderr, "%d table added%s.\n", nadd, DUMMY); - } else if (!strcmp(*p, "kill")) { + } else if (!strcmp(command, "kill")) { if (argc || file != NULL) usage(); RVTEST(pfr_del_tables(&table, 1, &ndel, flags)); if (!(opts & PF_OPT_QUIET)) fprintf(stderr, "%d table deleted%s.\n", ndel, DUMMY); - } else if (!strcmp(*p, "flush")) { + } else if (!strcmp(command, "flush")) { if (argc || file != NULL) usage(); RVTEST(pfr_clr_addrs(&table, &ndel, flags)); if (!(opts & PF_OPT_QUIET)) fprintf(stderr, "%d addresses deleted%s.\n", ndel, DUMMY); - } else if (!strcmp(*p, "add")) { + } else if (!strcmp(command, "add")) { load_addr(argc, argv, file, 0); if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; @@ -223,7 +204,7 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, buffer.addrs[i].pfra_fback) print_addrx(buffer.addrs+i, NULL, opts & PF_OPT_USEDNS); - } else if (!strcmp(*p, "delete")) { + } else if (!strcmp(command, "delete")) { load_addr(argc, argv, file, 0); if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; @@ -238,7 +219,7 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, buffer.addrs[i].pfra_fback) print_addrx(buffer.addrs+i, NULL, opts & PF_OPT_USEDNS); - } else if (!strcmp(*p, "replace")) { + } else if (!strcmp(command, "replace")) { load_addr(argc, argv, file, 0); if (opts & PF_OPT_VERBOSE) flags |= PFR_FLAG_FEEDBACK; @@ -272,7 +253,7 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, buffer.addrs[i].pfra_fback) print_addrx(buffer.addrs+i, NULL, opts & PF_OPT_USEDNS); - } else if (!strcmp(*p, "show")) { + } else if (!strcmp(command, "show")) { if (argc || file != NULL) usage(); for (;;) { @@ -298,7 +279,7 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, print_addrx(buffer.addrs+i, NULL, opts & PF_OPT_USEDNS); } - } else if (!strcmp(*p, "test")) { + } else if (!strcmp(command, "test")) { load_addr(argc, argv, file, 1); if (opts & PF_OPT_VERBOSE2) { flags |= PFR_FLAG_REPLACE; @@ -325,7 +306,7 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, opts & PF_OPT_USEDNS); if (nmatch < size) return (2); - } else if (!strcmp(*p, "zero")) { + } else if (!strcmp(command, "zero")) { if (argc || file != NULL) usage(); flags |= PFR_FLAG_ADDRSTOO; @@ -333,7 +314,8 @@ pfctl_table(int argc, char *argv[], char *tname, char *command, if (!(opts & PF_OPT_QUIET)) fprintf(stderr, "%d table/stats cleared%s.\n", nzero, DUMMY); - } + } else + assert(0); return (0); } |