From: Thomas Woerner <twoerner@redhat.com>
To: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Chain name length inconsistent
Date: Tue, 16 Mar 2010 16:35:29 +0100 [thread overview]
Message-ID: <4B9FA541.7080408@redhat.com> (raw)
Hello,
the size of a chain name is not consistent:
1) Adding a new chain name is checking for max length 30:
iptabels.c:1881 ( do_command):
if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
"chain name `%s' too long (must be under %i chars)",
chain, IPT_FUNCTION_MAXNAMELEN);
include/linux/netfilter_ipv4/ip_tables.h
#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
include/linux/netfilter/x_tables.h:
#define XT_FUNCTION_MAXNAMELEN 30
2) Using a jump target results in a check for max length 31:
iptables.c:1564 (do_command):
jumpto = parse_target(optarg);
iptables.c:464 (parse_target):
if (strlen(targetname)+1 > sizeof(ipt_chainlabel))
xtables_error(PARAMETER_PROBLEM,
"Invalid target name `%s' (%u chars max)",
targetname, (unsigned int)sizeof(ipt_chainlabel)-1);
include/libiptc/libiptc.h:
typedef char ipt_chainlabel[32];
3) But setting the target copies the name in an array of size 29:
iptables.c:1576 (do_command):
strcpy(target->t->u.user.name, jumpto);
include/linux/netfilter/x_tables.h:
struct xt_entry_match {
union {
struct {
__u16 match_size;
/* Used by userspace */
char name[XT_FUNCTION_MAXNAMELEN-1];
__u8 revision;
} user;
struct {
__u16 match_size;
/* Used inside the kernel */
struct xt_match *match;
} kernel;
/* Total length */
__u16 match_size;
} u;
unsigned char data[0];
};
Therefore all the checks should be for max length 29, right?
Please also have a look at
http://bugzilla.netfilter.org/show_bug.cgi?id=641
https://bugzilla.redhat.com/show_bug.cgi?id=545600
Thanks,
Thomas
next reply other threads:[~2010-03-16 15:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-16 15:35 Thomas Woerner [this message]
2010-03-16 15:51 ` Chain name length inconsistent Jan Engelhardt
2010-03-16 16:28 ` Thomas Woerner
2010-03-16 16:54 ` Send packet back out on same interface it came in on Robert Szabo
2010-03-16 16:55 ` Chain name length inconsistent Jan Engelhardt
2010-03-18 16:13 ` Thomas Woerner
2010-03-22 18:18 ` Jan Engelhardt
2010-03-23 11:42 ` Thomas Woerner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B9FA541.7080408@redhat.com \
--to=twoerner@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.