From: Loic <hackurx@opensec.fr>
To: Jan Engelhardt <jengelh@inai.de>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: [netfilter-core] Heap overflow in xt_geoip.c
Date: Sun, 23 Jul 2017 14:48:03 +0200 [thread overview]
Message-ID: <a72148eac6a538e975281ad675758dfb@opensec.fr> (raw)
In-Reply-To: <77bf7ff91165dafb9955bbcb63544898@opensec.fr>
>>>> On Tue, Jun 20, 2017 at 08:31:26PM +0200, Loic wrote:
>>>>> Hi,
>>>>>
>>>>> I think there is a problem in the geoip code because I detect this:
>>>>>
>>>>> grep -ar "cicus.162_313 max"
>>>>> /usr/src/xtables-addons-2.12/extensions/
>>>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.o:cicus.162_313
>>>>> max,
>>>>> count: 7, decl: vmalloc; num: 1; context: fndecl;
>>>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.o:/usr/src/xtables-addons-2.12/extensions/xt_geoip.ccicus.162_313
>>>>> max, count: 5, decl: size_overflow MARK_NO copy_user_generic 3;
>>>>> num:
>>>>> 0; context: attr;
>>>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.ko:cicus.162_313
>>>>> max,
>>>>> count: 7, decl: vmalloc; num: 1; context: fndecl;
>>>>> /usr/src/xtables-addons-2.12/extensions/xt_geoip.ko:/usr/src/xtables-addons-2.12/extensions/xt_geoip.ccicus.162_313
>>>>> max, count: 5, decl: size_overflow MARK_NO copy_user_generic 3;
>>>>> num:
>>>>> 0; context: attr;
I did not find what I was looking for but a static code analysis
revealed a errors.
Help: The documentation for all analyzer warnings is available here:
http://www.viva64.com/en/w/.
/xtables-addons-2.13/extensions/ACCOUNT/libxt_ACCOUNT_cl.c 166 err V575
The null pointer is passed into 'setsockopt' function. Inspect the
fourth argument.
/xtables-addons-2.13/extensions/ACCOUNT/libxt_ACCOUNT_cl.c 166 err V575
The 'setsockopt' function processes '0' elements. Inspect the fifth
argument.
/xtables-addons-2.13/extensions/pknock/pknlusr.c 45 warn V641 The size
of the '& src_addr' buffer is not a multiple of the element size of the
type 'struct sockaddr'.
/xtables-addons-2.13/extensions/pknock/pknlusr.c 72 warn V641 The size
of the '& dest_addr' buffer is not a multiple of the element size of the
type 'struct sockaddr'.
/xtables-addons-2.13/extensions/xt_DNETMAP.c 401 err V512 A call of the
'memcmp' function will lead to the '& e->prefix' buffer becoming out of
range.
/xtables-addons-2.13/extensions/xt_DELUDE.c 82 warn V560 A part of
conditional expression is always true: !oth->rst.
/xtables-addons-2.13/extensions/xt_geoip.c 148 err V568 It's odd that
'sizeof()' operator evaluates the size of a pointer to a class, but not
the size of the '(& geoip_head[proto])->next' class object.
/xtables-addons-2.13/extensions/xt_geoip.c 148 err V568 It's odd that
'sizeof()' operator evaluates the size of a pointer to a class, but not
the size of the 'p->list.next' class object.
/xtables-addons-2.13/extensions/xt_ipp2p.c 514 warn V666 Consider
inspecting fourth argument of the function 'HX_memmem'. It is possible
that the value does not correspond with the length of a string which was
passed with the third argument.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 622 err V595 The
'peer' pointer was utilized before it was verified against nullptr.
Check lines: 622, 623.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1047 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1053 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1055 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1058 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1061 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1064 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1069 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1072 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1075 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1077 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1079 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1086 warn V612 An
unconditional 'return' within a loop.
/xtables-addons-2.13/extensions/pknock/xt_pknock.c 1090 warn V612 An
unconditional 'return' within a loop.
Thanks !
--
Best regards,
Loic
prev parent reply other threads:[~2017-07-23 12:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAFwXZv_CZanNT=MTcA7G_5YtgJ07+2Xf-poXy2dNfv+V=j4iLw@mail.gmail.com>
[not found] ` <59482edb.6385df0a.e863a.a6ca.GMRIR@mx.google.com>
[not found] ` <6358d530697ad564236584c07d2f3cb2@opensec.fr>
[not found] ` <20170621161642.GB6117@salvia>
2017-06-25 19:45 ` [netfilter-core] Heap overflow in xt_geoip.c Jan Engelhardt
2017-06-26 18:41 ` Loic
2017-06-26 18:49 ` Loic
2017-07-23 12:48 ` Loic [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a72148eac6a538e975281ad675758dfb@opensec.fr \
--to=hackurx@opensec.fr \
--cc=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).