From: Tim Gardner <timg@tpi.com>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: kaber@trash.net, coreteam@netfilter.org,
netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Subject: Re: [PATCH] xt_recent: Fix buffer overflow
Date: Fri, 19 Feb 2010 14:38:56 -0700 [thread overview]
Message-ID: <4B7F04F0.8020607@tpi.com> (raw)
In-Reply-To: <alpine.LSU.2.01.1002192136160.4415@obet.zrqbmnf.qr>
Jan Engelhardt wrote:
> On Friday 2010-02-19 18:48, Tim Gardner wrote:
>> Consider the case when ip_pkt_list_tot==1; the first packet received is stored
>> in e->stamps[0] and e->index is initialized to 1. The next received packet
>> timestamp is then stored at e->stamps[1] in recent_entry_update(),
>> a buffer overflow because the maximum e->stamps[] index is 0.
>
>> @@ -173,10 +173,10 @@ recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
>>
>> static void recent_entry_update(struct recent_table *t, struct recent_entry *e)
>> {
>> + e->index %= ip_pkt_list_tot;
>> e->stamps[e->index++] = jiffies;
>> if (e->index > e->nstamps)
>> e->nstamps = e->index;
>> - e->index %= ip_pkt_list_tot;
>> list_move_tail(&e->lru_list, &t->lru_list);
>> }
>
> Let's analyze in 3-step manner:
>
> Claim: writes always happen to e->stamps[0]
> Prereqs: ip_pkt_list_tot==1
> Proof:
> Start with assumption that e->index's possible values at the
> start of the function are {0}.
This assumption is the root of the bug. e->index is initialized to 1 in
recent_entry_init() which means that its already out of bounds when next
recent_entry_update() is called.
> The timestamp is thus always stored in e->stamps[0].
> e->index is bumped from 0 to 1.
> The %= op clamps it back to 0.
> The possible values at the end of the function are thus {0}.
> Assumption holds and matches the result set exactly.
> Outside of the function you will thus never see e->index != 0.
>
> This does not seem much different from your proposed patch,
> which reads like:
>
> Claim: same
> Prereq: same
> Proof:
> e->index's possible start values are {0,1}.
> The %= op clamps this to {0}.
> The timestamp is always stored in e->stamps[0].
> e->index is increased by one.
> The possible values at the end of the function are {1}.
> Assumption holds, but is a superset of the result set.
> Outside of the function, you may see e->index != 0.
>
>
> So both variations of the code do the same, except yours seems to
> have the additional potential pitfall that e->index is not within the
> ring of modulus after the function has been executed.
>
>
> Where would the thinko be?
>
rtg
--
Tim Gardner timg@tpi.com www.tpi.com
OR 503-601-0234 x102 MT 406-443-5357
next prev parent reply other threads:[~2010-02-19 21:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-19 17:48 [PATCH] xt_recent: Fix buffer overflow Tim Gardner
2010-02-19 20:57 ` Jan Engelhardt
2010-02-19 21:38 ` Tim Gardner [this message]
2010-02-23 13:56 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7F04F0.8020607@tpi.com \
--to=timg@tpi.com \
--cc=coreteam@netfilter.org \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).