[Bug 437] New: restore can segfaults when restoring corrupt policy counters

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Wed Feb 1 23:59:49 CET 2006


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=437

           Summary: restore can segfaults when restoring corrupt policy
                    counters
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: iptables-restore
        AssignedTo: laforge at netfilter.org
        ReportedBy: razzor at kopf-tisch.de


In iptables-restore the return value of parse_counters() is not checked. 
So if the sscanf() in parse_counter() fails, wrong ($random or from previous
chain) counters are written to kernel.

Also parse_counter() is called without checking it's first argument.
If it's NULL, the sscanf() will segfault.

diff -uNr iptables-1.3.5.org/ip6tables-restore.c iptables-1.3.5/ip6tables-restore.c
--- iptables-1.3.5.org/ip6tables-restore.c	2005-06-24 18:34:19.000000000 +0200
+++ iptables-1.3.5/ip6tables-restore.c	2006-02-01 23:47:04.000000000 +0100
@@ -266,7 +266,10 @@
 					char *ctrs;
 					ctrs = strtok(NULL, " \t\n");
 
-					parse_counters(ctrs, &count);
+					if (!ctrs || !parse_counters(ctrs, &count))
+						exit_error(PARAMETER_PROBLEM,
+							   "invalid policy counters "
+							   "for chain '%s'\n", chain);
 
 				} else {
 					memset(&count, 0, 
diff -uNr iptables-1.3.5.org/iptables-restore.c iptables-1.3.5/iptables-restore.c
--- iptables-1.3.5.org/iptables-restore.c	2005-06-24 18:34:19.000000000 +0200
+++ iptables-1.3.5/iptables-restore.c	2006-02-01 23:45:00.000000000 +0100
@@ -269,7 +269,10 @@
 					char *ctrs;
 					ctrs = strtok(NULL, " \t\n");
 
-					parse_counters(ctrs, &count);
+					if (!ctrs || !parse_counters(ctrs, &count))
+						exit_error(PARAMETER_PROBLEM,
+							   "invalid policy counters "
+							   "for chain '%s'\n", chain);
 
 				} else {
 					memset(&count, 0,

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.



More information about the netfilter-buglog mailing list