Bug with malformed host in filter

Dave Edelman dedelman at iname.com
Wed Feb 27 13:14:39 EST 2013 

I agree with considering it a number which should be interpreted as an
unsigned 32 bit integer. The RFCs don't agree.
 
The standard seems to be RFC1123 which makes very little sense to me.
Originally RFC952 did not permit a hostname to start with a digit. The
updated RFC permits a digit as the initial character and requires that the
application syntactically validate the name to determine if it is a valid
dotted-quad IPv4 address representation. It ignores the possibility of any
of the other representations (Hex, Octal, unsigned integer) and it makes
reference to the SMTP (and by implication, IPv6 URI) requirement to enclose
an IP address in square brackets.
 
I don't see a superseding RFC and I've seen what Cisco does with an IP
address of 003.005.005.010 , treats it as octal. RFC 1738 (URL) seems to be
an advanced exercise in BNF creation but it also isn't going to accept
octal, hex, integer notation.
 
The relevant part of RFC 1123 is:
   2.1  Host Names and Numbers
 
      The syntax of a legal Internet host name was specified in RFC-952
      [DNS:4].  One aspect of host name syntax is hereby changed: the
      restriction on the first character is relaxed to allow either a
      letter or a digit.  Host software MUST support this more liberal
      syntax.
 
      Host software MUST handle host names of up to 63 characters and
      SHOULD handle host names of up to 255 characters.
 
      Whenever a user inputs the identity of an Internet host, it SHOULD
      be possible to enter either (1) a host domain name or (2) an IP
      address in dotted-decimal ("#.#.#.#") form.  The host SHOULD check
      the string syntactically for a dotted-decimal number before
      looking it up in the Domain Name System.
 
      DISCUSSION:
           This last requirement is not intended to specify the complete
           syntactic form for entering a dotted-decimal host number;
           that is considered to be a user-interface issue.  For
           example, a dotted-decimal number must be enclosed within
           "[ ]" brackets for SMTP mail (see Section 5.2.17).  This
           notation could be made universal within a host system,
           simplifying the syntactic checking for a dotted-decimal
           number.
 
           If a dotted-decimal number can be entered without such
           identifying delimiters, then a full syntactic check must be
           made, because a segment of a host domain name is now allowed
           to begin with a digit and could legally be entirely numeric
           (see Section 6.1.2.4).  However, a valid host name can never
           have the dotted-decimal form #.#.#.#, since at least the
           highest-level component label will be alphabetic.
 
 
--Dave
 
 
> -----Original Message-----
> From: elof2 at sentor.se [mailto:elof2 at sentor.se]
> Sent: Wednesday, February 27, 2013 11:51 AM
> To: Carter Bullard
> Cc: Dave Edelman; pauls at utdallas.edu; 'Argus Development'
> Subject: Re: [ARGUS] Bug with malformed host in filter
> 
> 
> I think it should be treated as a number.
> I have never seen anyone naming a host with just a number without any
> alpha characters in it. It's like begging for any kind of trouble. :-)
> 
> /Elof
> 
> On Wed, 27 Feb 2013, Carter Bullard wrote:
> 
> > Hey Dave,
> > So found the bug, but more interesting question is what is the right
thing
> here?
> > If you say " host 10 ", what do we expect, is the 10 a number or a name?
> > Currently we treat it as a number.  The only way to get it to be a
hostname
> > is for it to be an FQDN, such as  10.qosient.com.
> >
> > The problem is this type of call:
> >
> >   ra - host "10"
> >
> > Currently, that still comes up as a number, not a name.
> > Any opinions?
> >
> > Carter
> >
> > On Feb 26, 2013, at 8:53 PM, "Dave Edelman" <
<mailto:dedelman at iname.com> dedelman at iname.com>
> wrote:
> >
> >> I can verify that under FC14 ra 3.0.7.3 does not segfault but it does
> >> complain about a filter syntax error.
> >>
> >> # ra -S localhost:561 - host 10
> >> ra[458]: Wed 2013-02-27 01:14:42.277 host 10 filter syntax error
> >>
> >> This is strange because according to the inet(3) man page, 10 is a
perfectly
> >> acceptable IPv4 address.
> >> Just to make things even stranger, I do have a valid DNS resolution for
10
> >> which is no surprise given Cablevision's level of technical acumen. (At
> >> least they aren't claiming to be authoritative.)
> >>
> >> #  dig 10
> >>
> >> ; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> 10
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54672
> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >>
> >> ;; QUESTION SECTION:
> >> ;10.                            IN      A
> >>
> >> ;; ANSWER SECTION:
> >> 10.                     0       IN      A       67.63.55.3
> >>
> >> ;; Query time: 54 msec
> >> ;; SERVER: 167.206.245.130#53(167.206.245.130)
> >> ;; WHEN: Wed Feb 27 01:15:15 2013
> >> ;; MSG SIZE  rcvd: 36
> >>
> >>
> >> --Dave
> >>
> >>
> >>> -----Original Message-----
> >>> From:
<mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu>
argus-info-
 <mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu> >
bounces+dedelman=iname.com at lists.andrew.cmu.edu
> >>> [ <mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu>
mailto:argus-info-
 <mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu> >
bounces+dedelman=iname.com at lists.andrew.cmu.edu]
> >>> On Behalf Of  <mailto:elof2 at sentor.se> elof2 at sentor.se
> >>> Sent: Monday, February 25, 2013 11:51 AM
> >>> To: Carter Bullard
> >>> Cc:  <mailto:pauls at utdallas.edu> pauls at utdallas.edu; Argus Development
> >>> Subject: Re: [ARGUS] Bug with malformed host in filter
> >>>
> >>>
> >>> Sounds good. You're swift in response and action as always. :-)
> >>>
> >>> Yes, I manually compile and use the latest version of argus and other
> apps
> >>> when they have an important bugfix or new feature, but usually I try
to
> >> stick
> >>> with the normal FreeBSD ports, since this makes managing hundreds of
> >>> boxes much easier.
> >>>
> >>> Perhaps Paul S will deploy an update of the FreeBSD port soon, getting
> >> argus-
> >>> clients closer to 3.0.7.5.
> >>>
> >>>
> >>>
> >>> On your FreeBSD VM, run: portsnap fetch update
> >>>
> >>> Remove any currently installed argus/ra binaries.
> >>>
> >>> cd /usr/ports/net-mgmt/argus3-clients
> >>> make
> >>> make install
> >>>
> >>> That should give you Ra Version 3.0.6.2 to play around with.
> >>>
> >>> /Elof
> >>>
> >>>
> >>> On Mon, 25 Feb 2013, Carter Bullard wrote:
> >>>
> >>>> No problems.  I'll look around to see what is up.  I've got a
> >>>> FreeBSD VM I can test on, will try to fire that up today.
> >>>> The fault concerns me, so I'll try to recreate that first.
> >>>>
> >>>> Do try to work with the latest at some point to see if we've
> >>>> fixed the problem.
> >>>>
> >>>> Carter
> >>>>
> >>>> On Feb 25, 2013, at 10:47 AM,  <mailto:elof2 at sentor.se>
elof2 at sentor.se wrote:
> >>>>
> >>>>>
> >>>>> I'm using the official Argus port on a FreeBSD 9.1 amd64 machine.
> >>>>>
> >>>>> Hehe, no, I have no host called "10". :)
> >>>>> ...and speaking of resolving, I have no /etc/resolv.conf at all.
> >>>>>
> >>>>> Unfortunetly I currently have no time to compile and test
> >> argus-clients-
> >>> 3.0.7.5. :-/
> >>>>>
> >>>>> /Elof
> >>>>>
> >>>>> On Mon, 25 Feb 2013, Carter Bullard wrote:
> >>>>>
> >>>>>> Hmmmm,
> >>>>>> That is interesting.  I'm not getting the same types of errors on
Mac
> >> OS X.
> >>> Are you
> >>>>>> using Centos by any chance (just a guess).  The filter should fail
all
> >> the
> >>> time.
> >>>>>> We figure out if " 10 ", which the filter things is either a digit
or
> >> a string, is
> >>> a good
> >>>>>> address by calling gethostbyname().  Any chance you have a host
> named
> >>> " 10 "
> >>>>>> outthere?
> >>>>>>
> >>>>>> Does argus-clients-3.0.7.5 do a better job ?
> >>>>>> Carter
> >>>>>>
> >>>>>>
> >>>>>> On Feb 25, 2013, at 9:02 AM,  <mailto:elof2 at sentor.se>
elof2 at sentor.se wrote:
> >>>>>>
> >>>>>>>
> >>>>>>> Hi Carter!
> >>>>>>>
> >>>>>>> I stumbled on to a bug when accidentally executing a ra command
> with
> >>> an incomplete IP address.
> >>>>>>> Strangely enough, the error-detection make different descisions
> >>> depending of its place in the filter string.
> >>>>>>>
> >>>>>>> Example:
> >>>>>>>
> >>>>>>> #ra -Zb -nr argus.log - host 10.10.10.10 and host 10
> >>>>>>>
> >>>>>>> pid 1907 (ra), uid 0: exited on signal 11 (core dumped)
> >>>>>>> host 10.10.10.10 and host 10 filter syntax error
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> The filter "tcp and host 10" and other elements before "host 10"
> also
> >>> fail.
> >>>>>>>
> >>>>>>> However, a filter of just "host 10" by itself does not fail, nor
does
> >> "host
> >>> 10 and host 10.10.10.10"
> >>>>>>>
> >>>>>>>
> >>>>>>> (ra version 3.0.6.2)
> >>>>>>>
> >>>>>>> /Elof
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>
> >>
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130227/daa330b3/attachment.html>

More information about the argus mailing list