[Bug 1131] New: iptables-restore crashes on some fuzzed input

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Mar 17 18:15:54 CET 2017 

https://bugzilla.netfilter.org/show_bug.cgi?id=1131

            Bug ID: 1131
           Summary: iptables-restore crashes on some fuzzed input
           Product: iptables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables-restore
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: oleg.strikov at gmail.com

This issue doesn't have any security implication. I file this bug only because
crashing on any input (even carefully crafted) is considered undesirable
nowadays.

> iptables/iptables-restore.c:438
> ret = do_command4(newargc, newargv,
>                  &newargv[2], &handle, true);
<...>
> free_argv();

By passing &newargv[2] to do_command4() we assume that this pointer won't be
overwritten by the function. Otherwise, following call to free_argv() may crash
if the overwritten pointer is either malformed or have duplicates in the
newargv array. This pointer gets overwritten only when -t/--table option gets
passed to do_command4() and we specifically check for this corner case:

> iptables/iptables-restore.c:157
> if (!strncmp(param_buffer, "-t", 2)
>     || !strncmp(param_buffer, "--table", 8)) {
> 	 xtables_error(PARAMETER_PROBLEM,
>	 "The -t option (seen in line %u) cannot be "
>	 "used in iptables-restore.\n", line);
>	 exit(1);
> }

Unfortunately, do_command4() uses getopt_long() to parse its arguments. This
function is quite smart and provides some ways to bypass the check above but
still pass -t/--table to the function:

(1) --t,--ta,--tab,--tabl are treated as --table (try ls --he)
(2) -ftf is treated as -f --table f

In both cases argv[2] gets overwritten by malformed or duplicate pointer which
leads to a crash inside free_argv():

$ cat << EOF > crash1
*filter
-A INPUT --t 1194 -j ACCEPT
-A OUTPUT
COMMIT
EOF

$ ./xtables-multi iptables-restore -t < crash1
Segmentation fault (core dumped)

$ cat << EOF > crash2
*filter
-A INPUT -ftf -j ACCEPT
COMMIT
EOF

$ ./xtables-multi iptables-restore -t < crash2
*** Error in `./xtables-multi': free(): invalid pointer: 0x00000000006ab673 ***
Aborted (core dumped)

Issue has been discovered with AFL (http://lcamtuf.coredump.cx/afl/).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170317/8ccb6690/attachment.html>

More information about the netfilter-buglog mailing list