bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-01 23:59 UTC
[Bug 437] New: restore can segfaults when restoring corrupt policy counters
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=437 Summary: restore can segfaults when restoring corrupt policy counters Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: iptables-restore AssignedTo: laforge@netfilter.org ReportedBy: razzor@kopf-tisch.de In iptables-restore the return value of parse_counters() is not checked. So if the sscanf() in parse_counter() fails, wrong ($random or from previous chain) counters are written to kernel. Also parse_counter() is called without checking it's first argument. If it's NULL, the sscanf() will segfault. diff -uNr iptables-1.3.5.org/ip6tables-restore.c iptables-1.3.5/ip6tables-restore.c --- iptables-1.3.5.org/ip6tables-restore.c 2005-06-24 18:34:19.000000000 +0200 +++ iptables-1.3.5/ip6tables-restore.c 2006-02-01 23:47:04.000000000 +0100 @@ -266,7 +266,10 @@ char *ctrs; ctrs = strtok(NULL, " \t\n"); - parse_counters(ctrs, &count); + if (!ctrs || !parse_counters(ctrs, &count)) + exit_error(PARAMETER_PROBLEM, + "invalid policy counters " + "for chain '%s'\n", chain); } else { memset(&count, 0, diff -uNr iptables-1.3.5.org/iptables-restore.c iptables-1.3.5/iptables-restore.c --- iptables-1.3.5.org/iptables-restore.c 2005-06-24 18:34:19.000000000 +0200 +++ iptables-1.3.5/iptables-restore.c 2006-02-01 23:45:00.000000000 +0100 @@ -269,7 +269,10 @@ char *ctrs; ctrs = strtok(NULL, " \t\n"); - parse_counters(ctrs, &count); + if (!ctrs || !parse_counters(ctrs, &count)) + exit_error(PARAMETER_PROBLEM, + "invalid policy counters " + "for chain '%s'\n", chain); } else { memset(&count, 0, -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-01 23:59 UTC
[Bug 437] New: restore can segfaults when restoring corrupt policy counters
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=437 Summary: restore can segfaults when restoring corrupt policy counters Product: iptables Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: iptables-restore AssignedTo: laforge@netfilter.org ReportedBy: razzor@kopf-tisch.de In iptables-restore the return value of parse_counters() is not checked. So if the sscanf() in parse_counter() fails, wrong ($random or from previous chain) counters are written to kernel. Also parse_counter() is called without checking it's first argument. If it's NULL, the sscanf() will segfault. diff -uNr iptables-1.3.5.org/ip6tables-restore.c iptables-1.3.5/ip6tables-restore.c --- iptables-1.3.5.org/ip6tables-restore.c 2005-06-24 18:34:19.000000000 +0200 +++ iptables-1.3.5/ip6tables-restore.c 2006-02-01 23:47:04.000000000 +0100 @@ -266,7 +266,10 @@ char *ctrs; ctrs = strtok(NULL, " \t\n"); - parse_counters(ctrs, &count); + if (!ctrs || !parse_counters(ctrs, &count)) + exit_error(PARAMETER_PROBLEM, + "invalid policy counters " + "for chain '%s'\n", chain); } else { memset(&count, 0, diff -uNr iptables-1.3.5.org/iptables-restore.c iptables-1.3.5/iptables-restore.c --- iptables-1.3.5.org/iptables-restore.c 2005-06-24 18:34:19.000000000 +0200 +++ iptables-1.3.5/iptables-restore.c 2006-02-01 23:45:00.000000000 +0100 @@ -269,7 +269,10 @@ char *ctrs; ctrs = strtok(NULL, " \t\n"); - parse_counters(ctrs, &count); + if (!ctrs || !parse_counters(ctrs, &count)) + exit_error(PARAMETER_PROBLEM, + "invalid policy counters " + "for chain '%s'\n", chain); } else { memset(&count, 0, -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
Maybe Matching Threads
- [Bug 65] New: Problem with error message when tcp-flags doesn't recognize a flag
- FOR loop with statistical analysis for microarray data
- [Bug 545] New: Array subscript is above array bounds
- Hierarchical Bayesian Modeling in R
- [PATCH 1/2] gcov: Add script to split coverage informations.