* minor bug in iptables 1.2.9
@ 2004-01-30 8:48 Karsten Desler
2004-01-31 13:23 ` Martin Josefsson
0 siblings, 1 reply; 5+ messages in thread
From: Karsten Desler @ 2004-01-30 8:48 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 534 bytes --]
Hi,
while reading the iptables 1.2.9 source, I found this small bug in
iptables.c line 276:
struct in_addr *
dotted_to_addr(const char *dotted)
{
char buf[20];
...
/* copy dotted string, because we need to modify it */
strncpy(buf, dotted, sizeof(buf) - 1);
...
strncpy does not \0-terminate strings if strlen(src) == n, thus the
following loop can easily run over the end of buf, if a big enough
mask is given:
iptables -A INPUT -p tcp -s 1.1.1.1/000000000000000000.
Attached is a patch to fix this problem.
Karsten
[-- Attachment #2: iptables-1.2.9-overflow.patch --]
[-- Type: text/plain, Size: 311 bytes --]
--- iptables~.c 2004-01-30 09:34:29.000000000 +0100
+++ iptables.c 2004-01-30 09:35:14.000000000 +0100
@@ -274,6 +274,7 @@
/* copy dotted string, because we need to modify it */
strncpy(buf, dotted, sizeof(buf) - 1);
+ buf[sizeof(buf) - 1] = '\0';
addrp = (unsigned char *) &(addr.s_addr);
p = buf;
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: minor bug in iptables 1.2.9
2004-01-30 8:48 minor bug in iptables 1.2.9 Karsten Desler
@ 2004-01-31 13:23 ` Martin Josefsson
2004-01-31 13:56 ` Karsten Desler
[not found] ` <20040131142932.GB11570@soohrt.org>
0 siblings, 2 replies; 5+ messages in thread
From: Martin Josefsson @ 2004-01-31 13:23 UTC (permalink / raw)
To: Karsten Desler; +Cc: Netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 357 bytes --]
On Fri, 2004-01-30 at 09:48, Karsten Desler wrote:
> strncpy does not \0-terminate strings if strlen(src) == n, thus the
> following loop can easily run over the end of buf, if a big enough
> mask is given:
> iptables -A INPUT -p tcp -s 1.1.1.1/000000000000000000.
>
> Attached is a patch to fix this problem.
Applied, thanks
--
/Martin
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: minor bug in iptables 1.2.9
2004-01-31 13:23 ` Martin Josefsson
@ 2004-01-31 13:56 ` Karsten Desler
2004-01-31 15:20 ` Martin Josefsson
[not found] ` <20040131142932.GB11570@soohrt.org>
1 sibling, 1 reply; 5+ messages in thread
From: Karsten Desler @ 2004-01-31 13:56 UTC (permalink / raw)
To: Martin Josefsson; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 262 bytes --]
Hi,
today I had a little more time to look at the code. A few lines
down, there's another incarnation of the same bug.
line 641:
char buf[256];
...
strncpy(buf, name, sizeof(buf) - 1);
if ((p = strrchr(buf, '/')) != NULL) {
...
Patch attached.
Karsten
[-- Attachment #2: iptables-1.2.9-overflow2.patch --]
[-- Type: text/plain, Size: 298 bytes --]
--- iptables~.c 2004-01-31 14:42:29.000000000 +0100
+++ iptables.c 2004-01-31 14:53:57.000000000 +0100
@@ -639,6 +640,7 @@
int i, j, k, n;
strncpy(buf, name, sizeof(buf) - 1);
+ buf[sizeof(buf) - 1] = '\0';
if ((p = strrchr(buf, '/')) != NULL) {
*p = '\0';
addrp = parse_mask(p + 1);
^ permalink raw reply [flat|nested] 5+ messages in thread[parent not found: <20040131142932.GB11570@soohrt.org>]
end of thread, other threads:[~2004-01-31 15:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-30 8:48 minor bug in iptables 1.2.9 Karsten Desler
2004-01-31 13:23 ` Martin Josefsson
2004-01-31 13:56 ` Karsten Desler
2004-01-31 15:20 ` Martin Josefsson
[not found] ` <20040131142932.GB11570@soohrt.org>
2004-01-31 15:35 ` Martin Josefsson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.