From: Patrick McHardy <kaber@trash.net>
To: timg@tpi.com
Cc: Jan Engelhardt <jengelh@medozas.de>,
coreteam@netfilter.org, netfilter-devel@vger.kernel.org,
netfilter@vger.kernel.org
Subject: Re: [PATCH] xt_recent: Fix buffer overflow
Date: Tue, 23 Feb 2010 14:56:25 +0100 [thread overview]
Message-ID: <4B83DE89.6080309@trash.net> (raw)
In-Reply-To: <4B7F04F0.8020607@tpi.com>
Tim Gardner wrote:
> Jan Engelhardt wrote:
>> On Friday 2010-02-19 18:48, Tim Gardner wrote:
>>> Consider the case when ip_pkt_list_tot==1; the first packet received is stored
>>> in e->stamps[0] and e->index is initialized to 1. The next received packet
>>> timestamp is then stored at e->stamps[1] in recent_entry_update(),
>>> a buffer overflow because the maximum e->stamps[] index is 0.
>>> @@ -173,10 +173,10 @@ recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
>>>
>>> static void recent_entry_update(struct recent_table *t, struct recent_entry *e)
>>> {
>>> + e->index %= ip_pkt_list_tot;
>>> e->stamps[e->index++] = jiffies;
>>> if (e->index > e->nstamps)
>>> e->nstamps = e->index;
>>> - e->index %= ip_pkt_list_tot;
>>> list_move_tail(&e->lru_list, &t->lru_list);
>>> }
>> Let's analyze in 3-step manner:
>>
>> Claim: writes always happen to e->stamps[0]
>> Prereqs: ip_pkt_list_tot==1
>> Proof:
>> Start with assumption that e->index's possible values at the
>> start of the function are {0}.
>
> This assumption is the root of the bug. e->index is initialized to 1 in
> recent_entry_init() which means that its already out of bounds when next
> recent_entry_update() is called.
This patch looks correct to me. Applied, thanks Tim.
prev parent reply other threads:[~2010-02-23 13:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-19 17:48 [PATCH] xt_recent: Fix buffer overflow Tim Gardner
2010-02-19 17:48 ` Tim Gardner
2010-02-19 20:57 ` Jan Engelhardt
2010-02-19 21:38 ` Tim Gardner
2010-02-23 13:56 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B83DE89.6080309@trash.net \
--to=kaber@trash.net \
--cc=coreteam@netfilter.org \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=timg@tpi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.