Re: Global buffer overflow in parse_ip6_mask()

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Thu, Dec 18, 2025 at 04:15:05PM +0300, Ilia Kashintsev wrote:
[...]
> 2) Build the example:
> 
> clang -g -O0 -fsanitize=address -o reproduction reproduction.c
> libebtc_la-useful_functions.o ./.libs/libebtc.a
> 
> reproduction.c:

Hm, a custom file that uses this static library?
Maybe you describe how to crash this using ebtables userspace tool?
This is not even a shared library system wide available?

More comments below.

> #include <stdio.h>
> #include <unistd.h>
> 
> #include <arpa/inet.h>
> #include <netinet/in.h>
> 
> #if defined(__linux__)
> #  include <netinet/ether.h>
> #else
> #  include <net/ethernet.h>
> #  include <arpa/inet.h>
> #  include <netinet/ether.h>
> #endif
> 
> void ebt_parse_ip6_address(char *address, struct in6_addr *addr,
> struct in6_addr *msk);
> 
> int main(void) {
>     unsigned char buf[256];
>     ssize_t len;
> 
>     len = read(STDIN_FILENO, buf, sizeof(buf));
>     if (len <= 0) {
>         if (len == 0) {
>             return 0;
>         } else {
>             perror("read");
>             return 1;
>         }
>     }
> 
>     if (len < sizeof(buf)) {
>         buf[len] = '\0';
>     } else {
>         buf[sizeof(buf) - 1] = '\0';
>     }
> 
>     struct in6_addr addr = {0};
>     struct in6_addr msk = {0};
> 
>     ebt_parse_ip6_address((char *)buf, &addr, &msk);
> 
>     return 0;
> }
> 
> 
> 3) Launch the example with the provided inputs:
> 
> ./reproduction < input1.txt
> ./reproduction < input2.txt
> 
> To generate input1.txt and input2.txt copy the corresponding text into
> bs64_1.txt and bs64_2.txt and then run:
> 
> base64 -d bs64_1.txt > input1.txt
> base64 -d bs64_2.txt > input2.txt
> 
> bs64_1.txt:
> WTEvLzESES8vMTI4AAAAWQAAAAExEhIfAIAADgBk/wB/8Q4mLwAAAAAAAAEAMTIxDg4=
> 
> bs64_2.txt:
> WWxsN4BvUTYg2GxsLzgADg==

Maybe next time just post a patch to fix this silly bug... this tool
can only be run with root priviledges.

> Suggested fix:
> 
> It is proposed to handle 2 cases separately, keeping current behaviour
> when bits % 8 != 0 and avoiding it when bits % 8 == 0. Nevertheless, i
> can't be sure this fix is totally correct.
> 
> diff --git a/useful_functions.c b/useful_functions.c

As said, post a patch that applies via git-format-patch for review.

Thanks.

> index 133ae2f..a8dfcbc 100644
> --- a/useful_functions.c
> +++ b/useful_functions.c
> @@ -364,8 +364,12 @@ static struct in6_addr *parse_ip6_mask(char *mask)
>         if (bits != 0) {
>                 char *p = (char *)&maskaddr;
>                 memset(p, 0xff, bits / 8);
> -               memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
> -               p[bits / 8] = 0xff << (8 - (bits & 7));
> +               if (bits & 7) {
> +                       memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
> +                       p[bits / 8] = 0xff << (8 - (bits & 7));
> +               } else {
> +                       memset(p + (bits / 8), 0, (128 - bits) / 8);
> +               }
>                 return &maskaddr;
>         }
>