From 21d1283750d9c4df7ca80165d2b9dc0b9bd214eb Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 16 Mar 2010 16:49:21 +0100 Subject: iptables: correctly check for too-long chain/target/match names * iptables-restore was not checking for chain name length * iptables was not checking for match name length * target length was checked against 32, not 29. References: http://bugzilla.netfilter.org/show_bug.cgi?id=641 Signed-off-by: Jan Engelhardt --- ip6tables-restore.c | 6 ++++++ ip6tables.c | 4 ++-- iptables-restore.c | 6 ++++++ iptables.c | 4 ++-- xtables.c | 5 +++++ 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/ip6tables-restore.c b/ip6tables-restore.c index d0efbeed..f0725d1e 100644 --- a/ip6tables-restore.c +++ b/ip6tables-restore.c @@ -253,6 +253,12 @@ int main(int argc, char *argv[]) exit(1); } + if (strlen(chain) > XT_FUNCTION_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "Invalid chain name `%s' " + "(%u chars max)", + chain, XT_FUNCTION_MAXNAMELEN - 1); + if (ip6tc_builtin(chain, handle) <= 0) { if (noflush && ip6tc_is_chain(chain, handle)) { DEBUGP("Flushing existing user defined chain '%s'\n", chain); diff --git a/ip6tables.c b/ip6tables.c index e2359dfe..6ee42819 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -456,10 +456,10 @@ parse_target(const char *targetname) xtables_error(PARAMETER_PROBLEM, "Invalid target name (too short)"); - if (strlen(targetname)+1 > sizeof(ip6t_chainlabel)) + if (strlen(targetname) > XT_FUNCTION_MAXNAMELEN - 1) xtables_error(PARAMETER_PROBLEM, "Invalid target name `%s' (%u chars max)", - targetname, (unsigned int)sizeof(ip6t_chainlabel)-1); + targetname, XT_FUNCTION_MAXNAMELEN - 1); for (ptr = targetname; *ptr; ptr++) if (isspace(*ptr)) diff --git a/iptables-restore.c b/iptables-restore.c index 86d63e28..4a74485c 100644 --- a/iptables-restore.c +++ b/iptables-restore.c @@ -259,6 +259,12 @@ main(int argc, char *argv[]) exit(1); } + if (strlen(chain) > XT_FUNCTION_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "Invalid chain name `%s' " + "(%u chars max)", + chain, XT_FUNCTION_MAXNAMELEN - 1); + if (iptc_builtin(chain, handle) <= 0) { if (noflush && iptc_is_chain(chain, handle)) { DEBUGP("Flushing existing user defined chain '%s'\n", chain); diff --git a/iptables.c b/iptables.c index 08eb1345..25bc8cc6 100644 --- a/iptables.c +++ b/iptables.c @@ -460,10 +460,10 @@ parse_target(const char *targetname) xtables_error(PARAMETER_PROBLEM, "Invalid target name (too short)"); - if (strlen(targetname)+1 > sizeof(ipt_chainlabel)) + if (strlen(targetname) > XT_FUNCTION_MAXNAMELEN - 1) xtables_error(PARAMETER_PROBLEM, "Invalid target name `%s' (%u chars max)", - targetname, (unsigned int)sizeof(ipt_chainlabel)-1); + targetname, XT_FUNCTION_MAXNAMELEN - 1); for (ptr = targetname; *ptr; ptr++) if (isspace(*ptr)) diff --git a/xtables.c b/xtables.c index f3baf84d..7340c87a 100644 --- a/xtables.c +++ b/xtables.c @@ -545,6 +545,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, struct xtables_match *ptr; const char *icmp6 = "icmp6"; + if (strlen(name) > XT_FUNCTION_MAXNAMELEN - 1) + xtables_error(PARAMETER_PROBLEM, + "Invalid match name \"%s\" (%u chars max)", + name, XT_FUNCTION_MAXNAMELEN - 1); + /* This is ugly as hell. Nonetheless, there is no way of changing * this without hurting backwards compatibility */ if ( (strcmp(name,"icmpv6") == 0) || -- cgit v1.2.3