<html>
<head>
<base href="https://bugzilla.netfilter.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ulogd_filter_HWHRD out of bounds array access in hwmac_str"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1786">1786</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ulogd_filter_HWHRD out of bounds array access in hwmac_str
</td>
</tr>
<tr>
<th>Product</th>
<td>ulogd
</td>
</tr>
<tr>
<th>Version</th>
<td>SVN (please provide timestamp)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Ubuntu
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>major
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>ulogd
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>james@dingwall.me.uk
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=748" name="attach_748" title="increase size of hwmac_str array">attachment 748</a> <a href="attachment.cgi?id=748&action=edit" title="increase size of hwmac_str array">[details]</a></span>
increase size of hwmac_str array
This problem has already been addressed on the netfilter-devel:
<a href="https://lore.kernel.org/netfilter-devel/20250113123225.GC2068886@celephais.dreamlands/T/#m5c5518576fb781fe43db8680ec69f5379d7b5460">https://lore.kernel.org/netfilter-devel/20250113123225.GC2068886@celephais.dreamlands/T/#m5c5518576fb781fe43db8680ec69f5379d7b5460</a>
This report is being made to help investigate a bugzilla issue and does not
require any action (other than being closed as resolved)
This report relates to
<a href="https://bugs.launchpad.net/ubuntu/+source/ulogd2/+bug/2080677">https://bugs.launchpad.net/ubuntu/+source/ulogd2/+bug/2080677</a>.
# apt-cache policy ulogd2
ulogd2:
Installed: 2.0.8-2build1
Candidate: 2.0.8-2build1
Version table:
*** 2.0.8-2build1 500
500 <a href="http://gb.archive.ubuntu.com/ubuntu">http://gb.archive.ubuntu.com/ubuntu</a> noble/universe amd64 Packages
100 /var/lib/dpkg/status
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble
It seems that there is an out of bounds array access in ulogd_filter_HWHDR.c
which leads to ulogd2 being terminated with SIGABRT and the following message
when it is compiled with -D_FORTIFY_SOURCE=3:
*** buffer overflow detected ***
The hwac_str array is defined as:
static char hwmac_str[MAX_KEY - START_KEY][HWADDR_LENGTH];
Which translates to:
static char hwmac_str[4 - 2][128];
i.e. an array of two elements, valid indexes 0, 1.
Adding a debug print statement in the parse_mac2str function:
fprintf(stderr, "using hwmac_str index %d\n", okey - START_KEY);
will result in the following message:
using hwmac_str index 2
So the for loop attempts to format the mac address in to an invalid index in
hwmac_str.
As a simple test I made the definition of hwmac_str an array of 3 elements
which prevented the crash. I don't know if it is correct to simply make
the array longer or if the bug is actually in the value of 'okey' passed to
the function. However based on the final return in interp_mac2str I think
the array definition is too short. The attached patch allows ulog2 to
run after rebuilding with dpkg-buildpackage.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>