NetBSD Problem Report #50026
From www@NetBSD.org Fri Jul 3 01:26:56 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id DE0B1A654B
for <gnats-bugs@gnats.NetBSD.org>; Fri, 3 Jul 2015 01:26:55 +0000 (UTC)
Message-Id: <20150703012654.1C6B7A654F@mollari.NetBSD.org>
Date: Fri, 3 Jul 2015 01:26:54 +0000 (UTC)
From: brave_shi@huawei.com
Reply-To: brave_shi@huawei.com
To: gnats-bugs@NetBSD.org
Subject: buffer overflow ipfilter
X-Send-Pr-Version: www-1.0
>Number: 50026
>Category: security
>Synopsis: buffer overflow ipfilter
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: security-officer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jul 03 01:30:00 +0000 2015
>Last-Modified: Sun Nov 10 20:50:01 +0000 2019
>Originator: Yong Shi
>Release: 6.1.5
>Organization:
Huawei
>Environment:
Code Audit
>Description:
fr_stgettable(char *data)
{
ipftable_t table;
...
error = fr_inobj(data, NULL, &table, IPFOBJ_GTABLE);
...
}
int
fr_inobj(void *data, ipfobj_t *objp, void *ptr, int type)
{
...
} else {
#ifdef IPFILTER_COMPAT
error = fr_in_compat(objp, ptr);
#else
return EINVAL;
#endif
}
...
}
int
fr_in_compat(ipfobj_t *obj, void *ptr)
{
...
case IPFOBJ_NAT :
if (obj->ipfo_rev >= 4011400) {
sz = sizeof(nat_4_1_14_t);
} else if (obj->ipfo_rev >= 4010300) {
sz = sizeof(nat_4_1_3_t);
} else {
break;
}
bzero(ptr, sizeof(nat_t));
error = COPYIN(obj->ipfo_ptr, ptr, sz);
break;
}
return error;
}
Under the function fr_stgettable, the variable table is a local variable, and pass the vairable to the function fr_inobj as a parameter , then pass to the function fr_in_compat as a parameter . However, under the IPFOBJ_NAT case ,the bzero will overwrite the ptr variable with the size of nat_t struct.
>How-To-Repeat:
none
>Fix:
we should clear ptr variable before pass it to the fr_in_compat function .It's a patch ,I don't like. :(
>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: security/50026: buffer overflow ipfilter
Date: Sun, 10 Nov 2019 20:45:58 +0000
This is still relevant for the current ipfilter code.
ipf_in_compat(ipf_main_softc_t *softc, ipfobj_t *obj, void *ptr, int size)
case IPFOBJ_NAT :
if (obj->ipfo_rev >= 4011400) {
sz = sizeof(nat_4_1_14_t);
} else if (obj->ipfo_rev >= 4010300) {
sz = sizeof(nat_4_1_3_t);
} else {
break;
}
bzero(ptr, sizeof(nat_t));
error = COPYIN(obj->ipfo_ptr, ptr, sz);
if (error != 0) {
IPFERROR(140039);
}
break;
Callers pass a not-sufficiently-wide ipfobj_t.
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.