[Bug 943] New: Memory corruption in libxtables/xtables.c + fix

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon May 19 17:25:40 CEST 2014


           Summary: Memory corruption in libxtables/xtables.c + fix
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ip6tables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: ronald.wahl at raritan.com
   Estimated Hours: 0.0

Created attachment 444
  --> https://bugzilla.netfilter.org/attachment.cgi?id=444
Fix two off-by-one bugs


Today I tried to used ip6tables-restore (1.4.21) on my small arm5 device which
generated an segmentation fault. Since valgrind is not available on that 
platform I tried to reproduce it on x86 without success - valgrind didn't
complain. So I've gone the hard way and debugged manually and found two
off-by-one bugs in two adjacent lines. (see attachment for a proposed fix)

In my case the LSB of xtables_pending_matches was overwritten with zero that
lead to the segmentation fault. But simply adding an additional variable in the
code or changing compilation options modified the behaviour so that no
segmentation fault happens so it was rather subtle.

(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);

    In case of bits % 8 == 0 we write the byte behind *p

(2) p[bits/8] = 0xff << (8 - (bits & 7));

    In case of bits == 128 we write the byte behind *p

I have not checked if there are more such issues. There are a lot more strcpy,
strncpy, memcpy, ... ;-)

- ron

Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list