From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Loganaden Velvindron <loganaden@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Harden iptables memory allocator
Date: Mon, 25 May 2015 21:28:07 +0200 [thread overview]
Message-ID: <20150525192807.GA15963@salvia> (raw)
In-Reply-To: <CAOp4FwQC=NuK2YRWxhOuYyKQJjgi86r1VD6oTfzO=e=OaWhFOw@mail.gmail.com>
On Mon, May 25, 2015 at 06:59:01PM +0000, Loganaden Velvindron wrote:
[...]
> >> @@ -1753,8 +1787,8 @@ xtables_ip6parse_multiple(const char *name,
> >> struct in6_addr **addrpp,
> >> ++loop; /* skip ',' */
> >> }
> >>
> >> - *addrpp = xtables_malloc(sizeof(struct in6_addr) * count);
> >> - *maskpp = xtables_malloc(sizeof(struct in6_addr) * count);
> >> + *addrpp = xtables_reallocarray(NULL, count, sizeof(struct in6_addr));
> >> + *maskpp = xtables_reallocarray(NULL, count, sizeof(struct in6_addr));
> >
> > How feasible is to trigger this overflow in iptables? I'm hitting here
> > argument list too long before I can trigger this.
> >
>
> Those were conversions that I identified as cases involving
> malloc(x*y), which could be readily changed. Rather than having cases
> where malloc(x*y) is used, we can switch to reallocarray(x*y).
>
>
> > I'd rather see an evalution on how this integer overflow can affect
> > us.
>
> Well, it's a safe and easy to use API that can be used instead of the
> malloc(x*y).
>
>
> Are they exploitable ? I'm not really into crafting exploits, but I
> welcome an easy to use API that prevents that.
>
> At the very least, having it available in the library, would be a good
> thing, when there's a case for a dangerous malloc(x*y).
The only client of this library that I know is iptables, which feeds
this function with an input from the command line.
> This is what the Xorg project did:
> https://www.freetype.org/patch/46133/
>
> They imported reallocarray() and converted cases of malloc(x*y) into
> reallocarray(NULL, x, y).
That seems good for a public library that is used by third parties,
but this is not the case.
Moreover, we also have more spots that were not converted for some
reason in this patch.
Sorry, this doesn't sound very convincing.
next prev parent reply other threads:[~2015-05-25 19:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 18:42 Harden iptables memory allocator Loganaden Velvindron
2015-05-21 19:29 ` Loganaden Velvindron
2015-05-22 8:50 ` Hannes Frederic Sowa
2015-05-22 8:59 ` Jan Engelhardt
2015-05-22 11:51 ` Loganaden Velvindron
2015-05-22 12:06 ` Jan Engelhardt
2015-05-22 10:49 ` Loganaden Velvindron
2015-05-25 17:56 ` Pablo Neira Ayuso
2015-05-25 18:59 ` Loganaden Velvindron
2015-05-25 19:28 ` Pablo Neira Ayuso [this message]
2015-05-25 19:52 ` Loganaden Velvindron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150525192807.GA15963@salvia \
--to=pablo@netfilter.org \
--cc=loganaden@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).