From: Daniel Borkmann <dborkman@redhat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org,
Harald Welte <laforge@gnumonks.org>,
Noel Butler <noel.butler@ausics.net>
Subject: Re: [PATCH nf] netfilter: nf_nat: fix buffer overflow in IRC NAT helper
Date: Wed, 01 Jan 2014 05:13:08 +0100 [thread overview]
Message-ID: <52C395D4.5020501@redhat.com> (raw)
In-Reply-To: <20131231173545.GA4004@localhost>
On 12/31/2013 06:35 PM, Pablo Neira Ayuso wrote:
> On Tue, Dec 31, 2013 at 06:29:52PM +0100, Pablo Neira Ayuso wrote:
>> On Tue, Dec 31, 2013 at 04:28:39PM +0100, Daniel Borkmann wrote:
>>> Commit 5901b6be885e attempted to introduce IPv6 support into
>>> IRC NAT helper. By doing so, the following code seemed to be removed
>>> by accident:
>>>
>>> ip = ntohl(exp->master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip);
>>> sprintf(buffer, "%u %u", ip, port);
>>> pr_debug("nf_nat_irc: inserting '%s' == %pI4, port %u\n", buffer, &ip, port);
>>>
>>> This leads to the fact that buffer[] was left uninitialized and
>>> contained some stack value. When we call nf_nat_mangle_tcp_packet(),
>>> we call strlen(buffer) on excatly this uninitialized buffer. If we
>>> are unlucky and the skb has enough tailroom, we overwrite resp. leak
>>> contents with values that sit on our stack into the packet and send
>>> that out to the receiver.
>>>
>>> Since the rather informal DCC spec [1] does not seem to specify
>>> IPv6 support right now, we log such occurences so that admins can
>>> act accordingly, and drop the packet. I've looked into XChat source,
>>> and IPv6 is not supported there: addresses are in u32 and print
>>> via %u format string.
>>>
>>> Therefore, restore old behaviour as in IPv4, use snprintf(), and
>>> log IPv6 packets for now (maybe if there's consensus one day, we
>>> can still add support here). By this, we can safely use strlen(buffer)
>>> in nf_nat_mangle_tcp_packet() and prevent a buffer overflow. Also
>>> simplify some code as we now have ct variable anyway.
>>>
>>> [1] http://www.irchelp.org/irchelp/rfc/ctcpspec.html
>>
>> Thanks Daniel.
>>
>> No need for red blinking light on...
>
> Oh well, this also affects IPv4. Will pass this to master. Thanks.
Indeed, it affects IPv4 as the current code seems to be not working.
I think for now fixing this should be fine and later on there can be
follow-ups for full support for IPv6; probably that's a completely
different topic / discussion.
Thanks and happy new year,
Daniel
next prev parent reply other threads:[~2014-01-01 4:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-31 15:28 [PATCH nf] netfilter: nf_nat: fix buffer overflow in IRC NAT helper Daniel Borkmann
2013-12-31 17:29 ` Pablo Neira Ayuso
2013-12-31 17:35 ` Pablo Neira Ayuso
2014-01-01 4:13 ` Daniel Borkmann [this message]
2013-12-31 17:42 ` Hannes Frederic Sowa
2014-01-06 13:04 ` Pablo Neira Ayuso
2014-01-06 13:09 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52C395D4.5020501@redhat.com \
--to=dborkman@redhat.com \
--cc=laforge@gnumonks.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=noel.butler@ausics.net \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.