From: Michael Tremer Date: Fri, 2 Jan 2015 11:20:50 +0000 (+0100) Subject: firewall: Fix off-by-one error in configuration parser X-Git-Url: http://git.ipfire.org/?p=people%2Fdweismueller%2Fipfire-2.x.git;a=commitdiff_plain;h=d6ef5df18edfd8af46abbd09107cef9d42810cb4 firewall: Fix off-by-one error in configuration parser The configuration parser determines how many comma-separated values there are in a line. If new values are added we need to check first if those are set in every line to avoid any undefined behaviour. A wrong comparison parameter was used which caused that the limit feature was never enabled in the rule generation. --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 75a9357f6..a475e2d60 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -280,7 +280,7 @@ sub buildrules { # Concurrent connection limit my @ratelimit_options = (); - if (($elements gt 34) && ($$hash{$key}[32] eq 'ON')) { + if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) { my $conn_limit = $$hash{$key}[33]; if ($conn_limit ge 1) { @@ -296,13 +296,13 @@ sub buildrules { } # Ratelimit - if (($elements gt 37) && ($$hash{$key}[34] eq 'ON')) { + if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) { my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]"; - if ($rate_limit) { - push(@ratelimit_options, ("-m", "limit")); - push(@ratelimit_options, ("--limit", $rate_limit)); - } + if ($rate_limit) { + push(@ratelimit_options, ("-m", "limit")); + push(@ratelimit_options, ("--limit", $rate_limit)); + } } # Check which protocols are used in this rule and so that we can