From e82ec99261f4db424a1b0567896d8124f3e639f4 Mon Sep 17 00:00:00 2001
From: Naredula Janardhana Reddy <jana@cloud.com>
Date: Wed, 11 Jan 2012 10:50:19 +0530
Subject: [PATCH] Bug 12973: FIX : Icmp code/type validation for ingress/egress
 rules causing host plugin failure.

---
 scripts/vm/hypervisor/xenserver/vmops                      | 4 ++--
 .../cloud/network/security/SecurityGroupManagerImpl.java   | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index e2b9a6bb782..e6d77aa2a3d 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -1286,7 +1286,7 @@ def network_rules(session, args):
                 range = start + "/" + end
                 if start == "-1":
                     range = "any"
-                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', keyword, ipsetname, 'src', '-j', 'ACCEPT']
+                iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range,  '-m', 'set', keyword, ipsetname, 'src', '-j', 'ACCEPT']
             cmds.append(iptables)
             util.SMlog(iptables)
         
@@ -1297,7 +1297,7 @@ def network_rules(session, args):
                 range = start + "/" + end
                 if start == "-1":
                     range = "any"
-                    iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range, '-j', 'ACCEPT']
+                iptables = ['iptables', '-I', vmchain, '-p',  'icmp', '--icmp-type',  range, '-j', 'ACCEPT']
             cmds.append(iptables)
             util.SMlog(iptables)
             
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index f73491cf8a3..e18fb49e673 100755
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -564,8 +564,11 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
             if (icmpType == -1 && icmpCode != -1) {
                 throw new InvalidParameterValueException("Invalid icmp type range");
             }
-            if (icmpCode > 255) {
-                throw new InvalidParameterValueException("Invalid icmp code ");
+            if (icmpType != -1 && icmpCode == -1) {
+                throw new InvalidParameterValueException("Invalid icmp code: need non-negative icmp code ");
+            }
+            if (icmpCode > 255 || icmpType > 255 || icmpCode < -1 || icmpType < -1) {
+                throw new InvalidParameterValueException("Invalid icmp type/code ");
             }
             startPortOrType = icmpType;
             endPortOrCode = icmpCode;