Re: [PATCH v3 1/1] iptables: Fix crash on malformed iptables-restore

Oliver Ford <ojford@xxxxxxxxx> · Fri, 19 May 2017 13:03:01 +0100



On Fri, May 19, 2017 at 12:36 PM, Florian Westphal <fw@xxxxxxxxx> wrote:
> Oliver Ford <ojford@xxxxxxxxx> wrote:
>> On Fri, May 19, 2017 at 11:38 AM, Florian Westphal <fw@xxxxxxxxx> wrote:
>> > Oliver Ford <ojford@xxxxxxxxx> wrote:
>> >> On Fri, May 19, 2017 at 11:04 AM, Florian Westphal <fw@xxxxxxxxx> wrote:
>> >> > Oliver Ford <ojford@xxxxxxxxx> wrote:
>> >> >> Filter a beginning '--t'. Because the getopt_long function allows abbreviations,
>> >> >> any parameter beginning with '--t' will be treated as '--table'.
>> >> >
>> >> > No, thats not correct:
>> >> > --t is treated as --table.
>> >> > --tfoo is an invalid option.
>> >> > --ttl is ttl.
>> >> >
>> >> > So this:
>> >> >
>> >> >> +                             || !strncmp(param_buffer, "--t", 3)) {
>> >> >>                               xtables_error(PARAMETER_PROBLEM,
>> >> >> +                                     "The -t option (seen in line %u) cannot be "
>> >> >> +                                     "used in ip6tables-restore.\n", line);
>> >> >
>> >> > .. rejects rules like
>> >> >
>> >> > -A INPUT -m ttl --ttl 32
>> >>
>> >> Would strncmp(param_buffer, "--ta", 4) work? I don't think there are
>> >> any options that begin with --ta other than --table.
>> >
>> > That won't catch '--t'.
>> >
>> > It will also add trouble later if any module adds an option like --tap,
>> > --tail, --target, etc.
>> >
>> > Whats wrong with:
>> >
>> > if ((param_buffer[0] == '-' && param_buffer[1] != '-' &&
>> >      strchr(param_buffer, 't') ||
>> >      (!strncmp(param_buffer, "--t", 3) &&
>> >       !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
>> >
>> > ?
>>
>> I've just sent v4 that definitely works now. If you've got
>> "!strncmp(param_buffer, "--table", strlen(param_buffer))" you don't
>> also need "!strncmp(param_buffer, "--t", 3)" as --t will get filtered.
>
> Its needed, else '--' marker gets detected as 'table', e.g.:
> -A INPUT -m ttl --ttl 32 -j ACCEPT --

Ok I've put that back in in v5 and just sent it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html