From 6aa0560d37d7750bdbef46eb4ddb8ef6bfc7e0c3 Mon Sep 17 00:00:00 2001
From: Naredula Janardhana Reddy <jana@cloud.com>
Date: Fri, 6 Jan 2012 19:33:07 +0530
Subject: [PATCH] bug 12917: security groups - icmp type/code validations.

---
 scripts/vm/hypervisor/xenserver/vmops                        | 5 +++--
 .../com/cloud/network/security/SecurityGroupManagerImpl.java | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 014536d8081..addc314deea 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -1333,7 +1333,8 @@ def network_rules(session, args):
                 range = start + "/" + end
                 if start == "-1":
                     range = "any"
-                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', keyword, ipsetname, direction, '-j', action]
+                iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', keyword, ipsetname, direction, '-j', action]
+                
             cmds.append(iptables)
             util.SMlog(iptables)
         
@@ -1344,7 +1345,7 @@ def network_rules(session, args):
                 range = start + "/" + end
                 if start == "-1":
                     range = "any"
-                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range, '-j', action]
+                iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range, '-j', action]
             cmds.append(iptables)
             util.SMlog(iptables)
       
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index 744e31d9ca4..b168c7bd115 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -603,8 +603,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
             if (icmpType == -1 && icmpCode != -1) {
                 throw new InvalidParameterValueException("Invalid icmp type range");
             }
-            if (icmpCode > 255) {
-                throw new InvalidParameterValueException("Invalid icmp code ");
+            if (icmpCode > 255 || icmpType > 255 || icmpCode < -1 || icmpType < -1) {
+                throw new InvalidParameterValueException("Invalid icmp type/code ");
             }
             startPortOrType = icmpType;
             endPortOrCode = icmpCode;