bugzilla-daemon at netfilter.org
2017-Mar-17 17:15 UTC
[Bug 1131] New: iptables-restore crashes on some fuzzed input
https://bugzilla.netfilter.org/show_bug.cgi?id=1131 Bug ID: 1131 Summary: iptables-restore crashes on some fuzzed input Product: iptables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: iptables-restore Assignee: netfilter-buglog at lists.netfilter.org Reporter: oleg.strikov at gmail.com This issue doesn't have any security implication. I file this bug only because crashing on any input (even carefully crafted) is considered undesirable nowadays.> iptables/iptables-restore.c:438 > ret = do_command4(newargc, newargv, > &newargv[2], &handle, true);<...>> free_argv();By passing &newargv[2] to do_command4() we assume that this pointer won't be overwritten by the function. Otherwise, following call to free_argv() may crash if the overwritten pointer is either malformed or have duplicates in the newargv array. This pointer gets overwritten only when -t/--table option gets passed to do_command4() and we specifically check for this corner case:> iptables/iptables-restore.c:157 > if (!strncmp(param_buffer, "-t", 2) > || !strncmp(param_buffer, "--table", 8)) { > xtables_error(PARAMETER_PROBLEM, > "The -t option (seen in line %u) cannot be " > "used in iptables-restore.\n", line); > exit(1); > }Unfortunately, do_command4() uses getopt_long() to parse its arguments. This function is quite smart and provides some ways to bypass the check above but still pass -t/--table to the function: (1) --t,--ta,--tab,--tabl are treated as --table (try ls --he) (2) -ftf is treated as -f --table f In both cases argv[2] gets overwritten by malformed or duplicate pointer which leads to a crash inside free_argv(): $ cat << EOF > crash1 *filter -A INPUT --t 1194 -j ACCEPT -A OUTPUT COMMIT EOF $ ./xtables-multi iptables-restore -t < crash1 Segmentation fault (core dumped) $ cat << EOF > crash2 *filter -A INPUT -ftf -j ACCEPT COMMIT EOF $ ./xtables-multi iptables-restore -t < crash2 *** Error in `./xtables-multi': free(): invalid pointer: 0x00000000006ab673 *** Aborted (core dumped) Issue has been discovered with AFL (http://lcamtuf.coredump.cx/afl/). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170317/8ccb6690/attachment.html>
bugzilla-daemon at netfilter.org
2017-May-17 14:41 UTC
[Bug 1131] iptables-restore crashes on some fuzzed input
https://bugzilla.netfilter.org/show_bug.cgi?id=1131 Oliver Ford <ojford at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ojford at gmail.com Status|NEW |ASSIGNED Assignee|netfilter-buglog at lists.netf |ojford at gmail.com |ilter.org | -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170517/c6d4b034/attachment.html>
bugzilla-daemon at netfilter.org
2017-May-30 08:15 UTC
[Bug 1131] iptables-restore crashes on some fuzzed input
https://bugzilla.netfilter.org/show_bug.cgi?id=1131 Oliver Ford <ojford at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #1 from Oliver Ford <ojford at gmail.com> --- Fix applied in commit f8e5ebc5986bffa682ed9e4497e3c19f19bf961e. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170530/a2f1fb99/attachment.html>
Apparently Analagous Threads
- Problems with crashing IBM X3630 M3/ZFS
- [Bug 62] New: I patched the iptables-restore and liblptulog for string included "," "
- Re: VM crash and lock manager
- [Bug 1085] New: No warning for weird interface characters if interface contains wildcard character
- [Bug 905] New: Please support passing a filename to iptables-save