From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Oliver Ford <ojford@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v5 1/1] iptables: Fix crash on malformed iptables-restore
Date: Mon, 29 May 2017 14:05:18 +0200 [thread overview]
Message-ID: <20170529120518.GA11232@salvia> (raw)
In-Reply-To: <1495195346-6340-1-git-send-email-ojford@gmail.com>
On Fri, May 19, 2017 at 12:02:26PM +0000, Oliver Ford wrote:
> Fixes the crash reported in Bugzilla #1131 where a malformed parameter that
> specifies the table option during a restore can create an invalid pointer.
> It was discovered during fuzz testing that options like '-ftf'
> can cause a segfault. A parameter that includes a 't' is not currently
> filtered correctly.
>
> Improves the filtering to:
> Filter a beginning '-' followed by a character other than '-' and then a 't'
> anywhere in the parameter. This filters parameters like '-ftf'.
> Filter '--t'.
> Filter '--table', stopping when the parameter length is reached. Because the
> getopt_long function allows abbreviations, any unique abbreviation of '--table'
> will be treated as '--table'. This filters parameters like '--t', '--ta', but not
> '--ttl' or '--target'.
Applied with minor glitches.
> Signed-off-by: Oliver Ford <ojford@gmail.com>
> ---
> iptables/ip6tables-restore.c | 6 ++++--
> iptables/iptables-restore.c | 6 ++++--
> iptables/iptables-xml.c | 7 ++++---
> iptables/xtables-restore.c | 6 ++++--
> 4 files changed, 16 insertions(+), 9 deletions(-)
>
> diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
> index 39a881d..966f189 100644
> --- a/iptables/ip6tables-restore.c
> +++ b/iptables/ip6tables-restore.c
> @@ -165,8 +165,10 @@ static void add_param_to_argv(char *parsestart)
> param_buffer[param_len] = '\0';
>
> /* check if table name specified */
> - if (!strncmp(param_buffer, "-t", 2)
> - || !strncmp(param_buffer, "--table", 8)) {
> + if ((param_buffer[0] == '-' && param_buffer[1] != '-' &&
> + strchr(param_buffer, 't')) ||
> + (!strncmp(param_buffer, "--t", 3)
> + && !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
No blame. iptables coding style is a bit messy, but we try to make it
converge to kernel coding style with this updates so I mangled this to:
if ((param_buffer[0] == '-' &&
param_buffer[1] != '-' &&
strchr(param_buffer, 't')) ||
(!strncmp(param_buffer, "--t", 3) &&
!strncmp(param_buffer, "--table", strlen(param_buffer)))) {
prev parent reply other threads:[~2017-05-29 12:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 12:02 [PATCH v5 1/1] iptables: Fix crash on malformed iptables-restore Oliver Ford
2017-05-29 12:05 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170529120518.GA11232@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=ojford@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.