[Bug 943] New: Memory corruption in libxtables/xtables.c + fix
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon May 19 17:25:40 CEST 2014
https://bugzilla.netfilter.org/show_bug.cgi?id=943
Summary: Memory corruption in libxtables/xtables.c + fix
Product: iptables
Version: 1.4.x
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: ip6tables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: ronald.wahl at raritan.com
Estimated Hours: 0.0
Created attachment 444
--> https://bugzilla.netfilter.org/attachment.cgi?id=444
Fix two off-by-one bugs
Hi,
Today I tried to used ip6tables-restore (1.4.21) on my small arm5 device which
generated an segmentation fault. Since valgrind is not available on that
platform I tried to reproduce it on x86 without success - valgrind didn't
complain. So I've gone the hard way and debugged manually and found two
off-by-one bugs in two adjacent lines. (see attachment for a proposed fix)
In my case the LSB of xtables_pending_matches was overwritten with zero that
lead to the segmentation fault. But simply adding an additional variable in the
code or changing compilation options modified the behaviour so that no
segmentation fault happens so it was rather subtle.
(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
In case of bits % 8 == 0 we write the byte behind *p
(2) p[bits/8] = 0xff << (8 - (bits & 7));
In case of bits == 128 we write the byte behind *p
I have not checked if there are more such issues. There are a lot more strcpy,
strncpy, memcpy, ... ;-)
- ron
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list