Differential D53278

ipfilter: Avoid OOB read when ingesting interface names in ip_nat
Needs ReviewPublic
Actions

Authored by cy on Wed, Oct 22, 11:30 PM.

Tags

None

Referenced Files

None

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

emaste
markj

Summary

Rogue callers (i.e. rogue jail) to ip_nat may input interface names
longer than the passed string length. Make sure the interface string
is not longer than specified.

This is not a problem when using the command line interface. Only when
calling ipfilter directly from user code that tries to emulate ipfilter
userland.

Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 1 day

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 68018
Build 64901: arc lint + arc unit

Event Timeline

cy created this revision.Wed, Oct 22, 11:30 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptWed, Oct 22, 11:30 PM

cy requested review of this revision.Wed, Oct 22, 11:30 PM

Harbormaster completed remote builds in B68018: Diff 164816.Wed, Oct 22, 11:30 PM

emaste added inline comments.Thu, Oct 23, 1:22 AM

sys/netpfil/ipfilter/netinet/ip_nat.c
1546	Do we have some existing check that we are guaranteed not to walk off the end of a malicious in_names?

I will review my use of strlen throughout. I'll get back to you tomorrow.

sys/netpfil/ipfilter/netinet/ip_nat.c
1546	I suppose I could use an arbitrary number. in_names are interface names.

Revision Contents
Changeset List

Path

Size

sbin/

ipf/

libipf/

1 line

sys/

netpfil/

ipfilter/

netinet/

4 lines

Diff 164816

sbin/ipf/libipf/interror.c

Loading...

sys/netpfil/ipfilter/netinet/ip_nat.c

Loading...