* Null dereference in ebtables-restore.c
@ 2025-12-18 13:17 Ilia Kashintsev
2025-12-18 13:53 ` Phil Sutter
2025-12-20 21:06 ` Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Ilia Kashintsev @ 2025-12-18 13:17 UTC (permalink / raw)
To: netfilter-devel
Hello maintainers! I have found a SEGV in ebtables-restore.c
It occurs on the following line:
*strchr(cmdline, '\n') = '\0';
If '\n' is not present in cmdline, then the result of strchr() is NULL
with a dereference attempt afterwards.
Output:
=================================================================
==17259==ERROR: AddressSanitizer: SEGV on unknown address
0x000000000000 (pc 0x5f3c49f0cfcd bp 0x7ffe7f3ebb60 sp 0x7ffe7f3eb940
T0)
==17259==The signal is caused by a WRITE memory access.
==17259==Hint: address points to the zero page.
#0 0x5f3c49f0cfcd in main /orig/pkg-ebtables/ebtables-restore.c:79:26
#1 0x70bdc8090249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#2 0x70bdc8090304 in __libc_start_main csu/../csu/libc-start.c:360:3
#3 0x5f3c49e2d480 in _start
(/orig/pkg-ebtables/ebtables-legacy-restore+0x32480) (BuildId:
31bd20ca69b3b280488319fcba61dbf2d259f787)
==17259==Register values:
rax = 0x000070bdc67001f0 rbx = 0x00007ffe7f3eb940 rcx =
0x0000000000000000 rdx = 0x00000e1838cd803e
rdi = 0x0000000000000000 rsi = 0x00000e17b8ce003e rbp =
0x00007ffe7f3ebb60 rsp = 0x00007ffe7f3eb940
r8 = 0x00000e17b8ce003e r9 = 0x0000f2f2f2f2f200 r10 =
0x00007fffffffff01 r11 = 0x0000000000000246
r12 = 0x0000000000000000 r13 = 0x00007ffe7f3ebc88 r14 =
0x00005f3c49f71510 r15 = 0x000070bdc839c020
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/orig/pkg-ebtables/ebtables-restore.c:79:26 in main
==17259==ABORTING
Reproduction:
1) Build the project with sanitizers:
export CFLAGS="-g -O0 -fsanitize=address"
export CXXFLAGS="-g -O0 -fsanitize=address"
export CC=clang
export CXX=clang++
autoreconf -fi
./configure --enable-static --disable-shared
make
2) Launch with printf:
printf '0' | ./ebtables-legacy-restore
Suggested fix:
Check strchr() result before trying to dereference it.
diff --git a/ebtables-restore.c b/ebtables-restore.c
index bb4d0cf..c97364b 100644
--- a/ebtables-restore.c
+++ b/ebtables-restore.c
@@ -76,7 +76,9 @@ int main(int argc_, char *argv_[])
line++;
if (*cmdline == '#' || *cmdline == '\n')
continue;
- *strchr(cmdline, '\n') = '\0';
+ char *new_line = strchr(cmdline, '\n');
+ if (new_line)
+ *new_line = '\0';
if (*cmdline == '*') {
if (table_nr != -1) {
ebt_deliver_table(&replace[table_nr]);
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: Null dereference in ebtables-restore.c
2025-12-18 13:17 Null dereference in ebtables-restore.c Ilia Kashintsev
@ 2025-12-18 13:53 ` Phil Sutter
2025-12-20 21:06 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Phil Sutter @ 2025-12-18 13:53 UTC (permalink / raw)
To: Ilia Kashintsev; +Cc: netfilter-devel
Hi,
On Thu, Dec 18, 2025 at 04:17:39PM +0300, Ilia Kashintsev wrote:
> Hello maintainers! I have found a SEGV in ebtables-restore.c
>
> It occurs on the following line:
> *strchr(cmdline, '\n') = '\0';
>
> If '\n' is not present in cmdline, then the result of strchr() is NULL
> with a dereference attempt afterwards.
Thanks for the detailed report!
[...]
> Suggested fix:
>
> Check strchr() result before trying to dereference it.
>
> diff --git a/ebtables-restore.c b/ebtables-restore.c
> index bb4d0cf..c97364b 100644
> --- a/ebtables-restore.c
> +++ b/ebtables-restore.c
> @@ -76,7 +76,9 @@ int main(int argc_, char *argv_[])
> line++;
> if (*cmdline == '#' || *cmdline == '\n')
> continue;
> - *strchr(cmdline, '\n') = '\0';
> + char *new_line = strchr(cmdline, '\n');
> + if (new_line)
> + *new_line = '\0';
> if (*cmdline == '*') {
> if (table_nr != -1) {
> ebt_deliver_table(&replace[table_nr]);
How about simply using strchrnul():
--- a/ebtables-restore.c
+++ b/ebtables-restore.c
@@ -17,6 +17,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -76,7 +77,7 @@ int main(int argc_, char *argv_[])
line++;
if (*cmdline == '#' || *cmdline == '\n')
continue;
- *strchr(cmdline, '\n') = '\0';
+ *strchrnul(cmdline, '\n') = '\0';
if (*cmdline == '*') {
if (table_nr != -1) {
ebt_deliver_table(&replace[table_nr]);
Cheers, Phil
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Null dereference in ebtables-restore.c
2025-12-18 13:17 Null dereference in ebtables-restore.c Ilia Kashintsev
2025-12-18 13:53 ` Phil Sutter
@ 2025-12-20 21:06 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2025-12-20 21:06 UTC (permalink / raw)
To: Ilia Kashintsev; +Cc: netfilter-devel
Hi,
If you want to contribute to this project, you have to send us patches
in git-format-patch.
Thanks.
On Thu, Dec 18, 2025 at 04:17:39PM +0300, Ilia Kashintsev wrote:
> Suggested fix:
>
> Check strchr() result before trying to dereference it.
>
> diff --git a/ebtables-restore.c b/ebtables-restore.c
> index bb4d0cf..c97364b 100644
> --- a/ebtables-restore.c
> +++ b/ebtables-restore.c
> @@ -76,7 +76,9 @@ int main(int argc_, char *argv_[])
> line++;
> if (*cmdline == '#' || *cmdline == '\n')
> continue;
> - *strchr(cmdline, '\n') = '\0';
> + char *new_line = strchr(cmdline, '\n');
> + if (new_line)
> + *new_line = '\0';
> if (*cmdline == '*') {
> if (table_nr != -1) {
> ebt_deliver_table(&replace[table_nr]);
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-20 21:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-18 13:17 Null dereference in ebtables-restore.c Ilia Kashintsev
2025-12-18 13:53 ` Phil Sutter
2025-12-20 21:06 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox