Hello,
the size of a chain name is not consistent:
1) Adding a new chain name is checking for max length 30:
iptabels.c:1881 ( do_command):
if (chain && strlen(chain) > IPT_FUNCTION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
"chain name `%s' too long (must be under %i chars)",
chain, IPT_FUNCTION_MAXNAMELEN);
include/linux/netfilter_ipv4/ip_tables.h
#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
include/linux/netfilter/x_tables.h:
#define XT_FUNCTION_MAXNAMELEN 30
2) Using a jump target results in a check for max length 31:
iptables.c:1564 (do_command):
jumpto = parse_target(optarg);
iptables.c:464 (parse_target):
if (strlen(targetname)+1 > sizeof(ipt_chainlabel))
xtables_error(PARAMETER_PROBLEM,
"Invalid target name `%s' (%u chars max)",
targetname, (unsigned int)sizeof(ipt_chainlabel)-1);
include/libiptc/libiptc.h:
typedef char ipt_chainlabel[32];
3) But setting the target copies the name in an array of size 29:
iptables.c:1576 (do_command):
strcpy(target->t->u.user.name, jumpto);
include/linux/netfilter/x_tables.h:
struct xt_entry_match {
union {
struct {
__u16 match_size;
/* Used by userspace */
char name[XT_FUNCTION_MAXNAMELEN-1];
__u8 revision;
} user;
struct {
__u16 match_size;
/* Used inside the kernel */
struct xt_match *match;
} kernel;
/* Total length */
__u16 match_size;
} u;
unsigned char data[0];
};
Therefore all the checks should be for max length 29, right?
Please also have a look at
http://bugzilla.netfilter.org/show_bug.cgi?id=641
https://bugzilla.redhat.com/show_bug.cgi?id=545600
Thanks,
Thomas
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
