* Null dereference in ebtables-restore.c
@ 2025-12-18 13:17 Ilia Kashintsev
2025-12-18 13:53 ` Phil Sutter
2025-12-20 21:06 ` Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Ilia Kashintsev @ 2025-12-18 13:17 UTC (permalink / raw)
To: netfilter-devel
Hello maintainers! I have found a SEGV in ebtables-restore.c
It occurs on the following line:
*strchr(cmdline, '\n') = '\0';
If '\n' is not present in cmdline, then the result of strchr() is NULL
with a dereference attempt afterwards.
Output:
=================================================================
==17259==ERROR: AddressSanitizer: SEGV on unknown address
0x000000000000 (pc 0x5f3c49f0cfcd bp 0x7ffe7f3ebb60 sp 0x7ffe7f3eb940
T0)
==17259==The signal is caused by a WRITE memory access.
==17259==Hint: address points to the zero page.
#0 0x5f3c49f0cfcd in main /orig/pkg-ebtables/ebtables-restore.c:79:26
#1 0x70bdc8090249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#2 0x70bdc8090304 in __libc_start_main csu/../csu/libc-start.c:360:3
#3 0x5f3c49e2d480 in _start
(/orig/pkg-ebtables/ebtables-legacy-restore+0x32480) (BuildId:
31bd20ca69b3b280488319fcba61dbf2d259f787)
==17259==Register values:
rax = 0x000070bdc67001f0 rbx = 0x00007ffe7f3eb940 rcx =
0x0000000000000000 rdx = 0x00000e1838cd803e
rdi = 0x0000000000000000 rsi = 0x00000e17b8ce003e rbp =
0x00007ffe7f3ebb60 rsp = 0x00007ffe7f3eb940
r8 = 0x00000e17b8ce003e r9 = 0x0000f2f2f2f2f200 r10 =
0x00007fffffffff01 r11 = 0x0000000000000246
r12 = 0x0000000000000000 r13 = 0x00007ffe7f3ebc88 r14 =
0x00005f3c49f71510 r15 = 0x000070bdc839c020
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/orig/pkg-ebtables/ebtables-restore.c:79:26 in main
==17259==ABORTING
Reproduction:
1) Build the project with sanitizers:
export CFLAGS="-g -O0 -fsanitize=address"
export CXXFLAGS="-g -O0 -fsanitize=address"
export CC=clang
export CXX=clang++
autoreconf -fi
./configure --enable-static --disable-shared
make
2) Launch with printf:
printf '0' | ./ebtables-legacy-restore
Suggested fix:
Check strchr() result before trying to dereference it.
diff --git a/ebtables-restore.c b/ebtables-restore.c
index bb4d0cf..c97364b 100644
--- a/ebtables-restore.c
+++ b/ebtables-restore.c
@@ -76,7 +76,9 @@ int main(int argc_, char *argv_[])
line++;
if (*cmdline == '#' || *cmdline == '\n')
continue;
- *strchr(cmdline, '\n') = '\0';
+ char *new_line = strchr(cmdline, '\n');
+ if (new_line)
+ *new_line = '\0';
if (*cmdline == '*') {
if (table_nr != -1) {
ebt_deliver_table(&replace[table_nr]);
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: Null dereference in ebtables-restore.c 2025-12-18 13:17 Null dereference in ebtables-restore.c Ilia Kashintsev @ 2025-12-18 13:53 ` Phil Sutter 2025-12-20 21:06 ` Pablo Neira Ayuso 1 sibling, 0 replies; 3+ messages in thread From: Phil Sutter @ 2025-12-18 13:53 UTC (permalink / raw) To: Ilia Kashintsev; +Cc: netfilter-devel Hi, On Thu, Dec 18, 2025 at 04:17:39PM +0300, Ilia Kashintsev wrote: > Hello maintainers! I have found a SEGV in ebtables-restore.c > > It occurs on the following line: > *strchr(cmdline, '\n') = '\0'; > > If '\n' is not present in cmdline, then the result of strchr() is NULL > with a dereference attempt afterwards. Thanks for the detailed report! [...] > Suggested fix: > > Check strchr() result before trying to dereference it. > > diff --git a/ebtables-restore.c b/ebtables-restore.c > index bb4d0cf..c97364b 100644 > --- a/ebtables-restore.c > +++ b/ebtables-restore.c > @@ -76,7 +76,9 @@ int main(int argc_, char *argv_[]) > line++; > if (*cmdline == '#' || *cmdline == '\n') > continue; > - *strchr(cmdline, '\n') = '\0'; > + char *new_line = strchr(cmdline, '\n'); > + if (new_line) > + *new_line = '\0'; > if (*cmdline == '*') { > if (table_nr != -1) { > ebt_deliver_table(&replace[table_nr]); How about simply using strchrnul(): --- a/ebtables-restore.c +++ b/ebtables-restore.c @@ -17,6 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ +#define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -76,7 +77,7 @@ int main(int argc_, char *argv_[]) line++; if (*cmdline == '#' || *cmdline == '\n') continue; - *strchr(cmdline, '\n') = '\0'; + *strchrnul(cmdline, '\n') = '\0'; if (*cmdline == '*') { if (table_nr != -1) { ebt_deliver_table(&replace[table_nr]); Cheers, Phil ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Null dereference in ebtables-restore.c 2025-12-18 13:17 Null dereference in ebtables-restore.c Ilia Kashintsev 2025-12-18 13:53 ` Phil Sutter @ 2025-12-20 21:06 ` Pablo Neira Ayuso 1 sibling, 0 replies; 3+ messages in thread From: Pablo Neira Ayuso @ 2025-12-20 21:06 UTC (permalink / raw) To: Ilia Kashintsev; +Cc: netfilter-devel Hi, If you want to contribute to this project, you have to send us patches in git-format-patch. Thanks. On Thu, Dec 18, 2025 at 04:17:39PM +0300, Ilia Kashintsev wrote: > Suggested fix: > > Check strchr() result before trying to dereference it. > > diff --git a/ebtables-restore.c b/ebtables-restore.c > index bb4d0cf..c97364b 100644 > --- a/ebtables-restore.c > +++ b/ebtables-restore.c > @@ -76,7 +76,9 @@ int main(int argc_, char *argv_[]) > line++; > if (*cmdline == '#' || *cmdline == '\n') > continue; > - *strchr(cmdline, '\n') = '\0'; > + char *new_line = strchr(cmdline, '\n'); > + if (new_line) > + *new_line = '\0'; > if (*cmdline == '*') { > if (table_nr != -1) { > ebt_deliver_table(&replace[table_nr]); > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-20 21:07 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-12-18 13:17 Null dereference in ebtables-restore.c Ilia Kashintsev 2025-12-18 13:53 ` Phil Sutter 2025-12-20 21:06 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox