bugzilla-daemon at netfilter.org
2014-May-19 15:25 UTC
[Bug 943] New: Memory corruption in libxtables/xtables.c + fix
https://bugzilla.netfilter.org/show_bug.cgi?id=943 Summary: Memory corruption in libxtables/xtables.c + fix Product: iptables Version: 1.4.x Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 Component: ip6tables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: ronald.wahl at raritan.com Estimated Hours: 0.0 Created attachment 444 --> https://bugzilla.netfilter.org/attachment.cgi?id=444 Fix two off-by-one bugs Hi, Today I tried to used ip6tables-restore (1.4.21) on my small arm5 device which generated an segmentation fault. Since valgrind is not available on that platform I tried to reproduce it on x86 without success - valgrind didn't complain. So I've gone the hard way and debugged manually and found two off-by-one bugs in two adjacent lines. (see attachment for a proposed fix) In my case the LSB of xtables_pending_matches was overwritten with zero that lead to the segmentation fault. But simply adding an additional variable in the code or changing compilation options modified the behaviour so that no segmentation fault happens so it was rather subtle. (1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); In case of bits % 8 == 0 we write the byte behind *p (2) p[bits/8] = 0xff << (8 - (bits & 7)); In case of bits == 128 we write the byte behind *p I have not checked if there are more such issues. There are a lot more strcpy, strncpy, memcpy, ... ;-) - ron -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Sep-05 18:51 UTC
[Bug 943] Memory corruption in libxtables/xtables.c + fix
https://bugzilla.netfilter.org/show_bug.cgi?id=943 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |fw at strlen.de Resolution| |FIXED --- Comment #1 from Florian Westphal <fw at strlen.de> 2014-09-05 20:51:56 CEST --- sorry for no noticing this sooner. Patch applied, thanks! -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Maybe Matching Threads
- [Bug 1108] New: Need a new release to build nftables --with-xtables
- [ANNOUNCE] iptables 1.6.0 release
- [ANNOUNCE] iptables 1.6.1 release
- [ANNOUNCE] iptables 1.6.2 release
- [Bug 1231] New: libxt_bpf.c:69:6: error: 'union bpf_attr' has no member named 'pathname'