From: Thomas Woerner <twoerner@redhat.com>
To: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Chain name length inconsistent
Date: Tue, 16 Mar 2010 16:35:29 +0100 [thread overview]
Message-ID: <4B9FA541.7080408@redhat.com> (raw)
Hello,
the size of a chain name is not consistent:
1) Adding a new chain name is checking for max length 30:
iptabels.c:1881 ( do_command):
if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
"chain name `%s' too long (must be under %i chars)",
chain, IPT_FUNCTION_MAXNAMELEN);
include/linux/netfilter_ipv4/ip_tables.h
#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
include/linux/netfilter/x_tables.h:
#define XT_FUNCTION_MAXNAMELEN 30
2) Using a jump target results in a check for max length 31:
iptables.c:1564 (do_command):
jumpto = parse_target(optarg);
iptables.c:464 (parse_target):
if (strlen(targetname)+1 > sizeof(ipt_chainlabel))
xtables_error(PARAMETER_PROBLEM,
"Invalid target name `%s' (%u chars max)",
targetname, (unsigned int)sizeof(ipt_chainlabel)-1);
include/libiptc/libiptc.h:
typedef char ipt_chainlabel[32];
3) But setting the target copies the name in an array of size 29:
iptables.c:1576 (do_command):
strcpy(target->t->u.user.name, jumpto);
include/linux/netfilter/x_tables.h:
struct xt_entry_match {
union {
struct {
__u16 match_size;
/* Used by userspace */
char name[XT_FUNCTION_MAXNAMELEN-1];
__u8 revision;
} user;
struct {
__u16 match_size;
/* Used inside the kernel */
struct xt_match *match;
} kernel;
/* Total length */
__u16 match_size;
} u;
unsigned char data[0];
};
Therefore all the checks should be for max length 29, right?
Please also have a look at
http://bugzilla.netfilter.org/show_bug.cgi?id=641
https://bugzilla.redhat.com/show_bug.cgi?id=545600
Thanks,
Thomas
next reply other threads:[~2010-03-16 15:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-16 15:35 Thomas Woerner [this message]
2010-03-16 15:51 ` Chain name length inconsistent Jan Engelhardt
2010-03-16 16:28 ` Thomas Woerner
2010-03-16 16:54 ` Send packet back out on same interface it came in on Robert Szabo
2010-03-16 16:55 ` Chain name length inconsistent Jan Engelhardt
2010-03-18 16:13 ` Thomas Woerner
2010-03-22 18:18 ` Jan Engelhardt
2010-03-23 11:42 ` Thomas Woerner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B9FA541.7080408@redhat.com \
--to=twoerner@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).