netfilter buglog - Mar 2017 - [Bug 1131] New: iptables-restore crashes on some fuzzed input

https://bugzilla.netfilter.org/show_bug.cgi?id=1131

            Bug ID: 1131
           Summary: iptables-restore crashes on some fuzzed input
           Product: iptables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables-restore
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: oleg.strikov at gmail.com

This issue doesn't have any security implication. I file this bug only
because
crashing on any input (even carefully crafted) is considered undesirable
nowadays.
> iptables/iptables-restore.c:438
> ret = do_command4(newargc, newargv,
>                  &newargv[2], &handle, true);
<...>
> free_argv();
By passing &newargv[2] to do_command4() we assume that this pointer
won't be
overwritten by the function. Otherwise, following call to free_argv() may crash
if the overwritten pointer is either malformed or have duplicates in the
newargv array. This pointer gets overwritten only when -t/--table option gets
passed to do_command4() and we specifically check for this corner case:
> iptables/iptables-restore.c:157
> if (!strncmp(param_buffer, "-t", 2)
>     || !strncmp(param_buffer, "--table", 8)) {
> 	 xtables_error(PARAMETER_PROBLEM,
>	 "The -t option (seen in line %u) cannot be "
>	 "used in iptables-restore.\n", line);
>	 exit(1);
> }
Unfortunately, do_command4() uses getopt_long() to parse its arguments. This
function is quite smart and provides some ways to bypass the check above but
still pass -t/--table to the function:

(1) --t,--ta,--tab,--tabl are treated as --table (try ls --he)
(2) -ftf is treated as -f --table f

In both cases argv[2] gets overwritten by malformed or duplicate pointer which
leads to a crash inside free_argv():

$ cat << EOF > crash1
*filter
-A INPUT --t 1194 -j ACCEPT
-A OUTPUT
COMMIT
EOF

$ ./xtables-multi iptables-restore -t < crash1
Segmentation fault (core dumped)

$ cat << EOF > crash2
*filter
-A INPUT -ftf -j ACCEPT
COMMIT
EOF

$ ./xtables-multi iptables-restore -t < crash2
*** Error in `./xtables-multi': free(): invalid pointer: 0x00000000006ab673
***
Aborted (core dumped)

Issue has been discovered with AFL (http://lcamtuf.coredump.cx/afl/).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170317/8ccb6690/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1131

Oliver Ford <ojford at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ojford at gmail.com
             Status|NEW                         |ASSIGNED
           Assignee|netfilter-buglog at lists.netf |ojford at gmail.com
                   |ilter.org                   |

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170517/c6d4b034/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1131

Oliver Ford <ojford at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #1 from Oliver Ford <ojford at gmail.com> ---
Fix applied in commit f8e5ebc5986bffa682ed9e4497e3c19f19bf961e.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170530/a2f1fb99/attachment.html>