From patchwork Mon Nov 13 13:27:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Dichtel X-Patchwork-Id: 837433 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ybBKX44Kpz9s84 for ; Tue, 14 Nov 2017 00:28:16 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754244AbdKMN2N (ORCPT ); Mon, 13 Nov 2017 08:28:13 -0500 Received: from host.76.145.23.62.rev.coltfrance.com ([62.23.145.76]:37589 "EHLO proxy.6wind.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754230AbdKMN2J (ORCPT ); Mon, 13 Nov 2017 08:28:09 -0500 Received: from bretzel.dev.6wind.com (unknown [10.16.0.19]) by proxy.6wind.com (Postfix) with ESMTPS id 5CFFEFF2C0; Mon, 13 Nov 2017 14:21:12 +0100 (CET) Received: from dichtel by bretzel.dev.6wind.com with local (Exim 4.84_2) (envelope-from ) id 1eEEmL-0003tq-Gp; Mon, 13 Nov 2017 14:27:57 +0100 From: Nicolas Dichtel To: pablo@netfilter.org Cc: netfilter-devel@vger.kernel.org, huaibin Wang , Nicolas Dichtel Subject: [PATCH iptables v2] libxt_sctp: fix array out of range in print_chunk Date: Mon, 13 Nov 2017 14:27:54 +0100 Message-Id: <20171113132754.14911-1-nicolas.dichtel@6wind.com> X-Mailer: git-send-email 2.13.2 In-Reply-To: <20171113123854.GA7570@salvia> References: <20171113123854.GA7570@salvia> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: huaibin Wang For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type is not equal to the corresponding index in sctp_chunk_names[]. Using this field leads to a segmentation fault (index out of range). Example $ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT $ iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Segmentation fault Signed-off-by: huaibin Wang Signed-off-by: Nicolas Dichtel --- v1 -> v2: uncomment corresponding tests extensions/libxt_sctp.c | 2 +- extensions/libxt_sctp.t | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c index df1936be8b83..140de2653b1e 100644 --- a/extensions/libxt_sctp.c +++ b/extensions/libxt_sctp.c @@ -370,7 +370,7 @@ print_chunk(uint32_t chunknum, int numeric) for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) if (sctp_chunk_names[i].chunk_type == chunknum) - printf("%s", sctp_chunk_names[chunknum].name); + printf("%s", sctp_chunk_names[i].name); } } diff --git a/extensions/libxt_sctp.t b/extensions/libxt_sctp.t index 2f75e2a68e8e..4016e4fb1880 100644 --- a/extensions/libxt_sctp.t +++ b/extensions/libxt_sctp.t @@ -23,10 +23,7 @@ -p sctp -m sctp --chunk-types all COOKIE_ACK;=;OK -p sctp -m sctp --chunk-types all ECN_ECNE;=;OK -p sctp -m sctp --chunk-types all ECN_CWR;=;OK -# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF -# -p sctp -m sctp --chunk-types all ASCONF;=;OK -# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all ASCONF_ACK -# -p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK -# ERROR: iptables-save segfaults: iptables -A INPUT -p sctp -m sctp --chunk-types all FORWARD_TSN -# -p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK +-p sctp -m sctp --chunk-types all ASCONF;=;OK +-p sctp -m sctp --chunk-types all ASCONF_ACK;=;OK +-p sctp -m sctp --chunk-types all FORWARD_TSN;=;OK -p sctp -m sctp --chunk-types all SHUTDOWN_COMPLETE;=;OK