bugzilla-daemon at netfilter.org
2025-Jan-16 17:06 UTC
[Bug 1786] New: ulogd_filter_HWHRD out of bounds array access in hwmac_str
https://bugzilla.netfilter.org/show_bug.cgi?id=1786 Bug ID: 1786 Summary: ulogd_filter_HWHRD out of bounds array access in hwmac_str Product: ulogd Version: SVN (please provide timestamp) Hardware: x86_64 OS: Ubuntu Status: NEW Severity: major Priority: P5 Component: ulogd Assignee: netfilter-buglog at lists.netfilter.org Reporter: james at dingwall.me.uk Created attachment 748 --> https://bugzilla.netfilter.org/attachment.cgi?id=748&action=edit increase size of hwmac_str array This problem has already been addressed on the netfilter-devel: https://lore.kernel.org/netfilter-devel/20250113123225.GC2068886 at celephais.dreamlands/T/#m5c5518576fb781fe43db8680ec69f5379d7b5460 This report is being made to help investigate a bugzilla issue and does not require any action (other than being closed as resolved) This report relates to https://bugs.launchpad.net/ubuntu/+source/ulogd2/+bug/2080677. # apt-cache policy ulogd2 ulogd2: Installed: 2.0.8-2build1 Candidate: 2.0.8-2build1 Version table: *** 2.0.8-2build1 500 500 http://gb.archive.ubuntu.com/ubuntu noble/universe amd64 Packages 100 /var/lib/dpkg/status # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 24.04.1 LTS Release: 24.04 Codename: noble It seems that there is an out of bounds array access in ulogd_filter_HWHDR.c which leads to ulogd2 being terminated with SIGABRT and the following message when it is compiled with -D_FORTIFY_SOURCE=3: *** buffer overflow detected *** The hwac_str array is defined as: static char hwmac_str[MAX_KEY - START_KEY][HWADDR_LENGTH]; Which translates to: static char hwmac_str[4 - 2][128]; i.e. an array of two elements, valid indexes 0, 1. Adding a debug print statement in the parse_mac2str function: fprintf(stderr, "using hwmac_str index %d\n", okey - START_KEY); will result in the following message: using hwmac_str index 2 So the for loop attempts to format the mac address in to an invalid index in hwmac_str. As a simple test I made the definition of hwmac_str an array of 3 elements which prevented the crash. I don't know if it is correct to simply make the array longer or if the bug is actually in the value of 'okey' passed to the function. However based on the final return in interp_mac2str I think the array definition is too short. The attached patch allows ulog2 to run after rebuilding with dpkg-buildpackage. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20250116/aef924eb/attachment.html>