From patchwork Wed Aug 22 09:22:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Brivio X-Patchwork-Id: 960865 X-Patchwork-Delegate: kadlec@blackhole.kfki.hu Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41wMXT5KTFz9s5c for ; Wed, 22 Aug 2018 19:23:05 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728346AbeHVMrI (ORCPT ); Wed, 22 Aug 2018 08:47:08 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55412 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726448AbeHVMrH (ORCPT ); Wed, 22 Aug 2018 08:47:07 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EFAA07A7EC; Wed, 22 Aug 2018 09:23:04 +0000 (UTC) Received: from epycfail.redhat.com (ovpn-200-16.brq.redhat.com [10.40.200.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id D754E2026D74; Wed, 22 Aug 2018 09:23:03 +0000 (UTC) From: Stefano Brivio To: Jozsef Kadlecsik Cc: netfilter-devel@vger.kernel.org Subject: [PATCH ipset 1/4] Fix use-after-free in ipset_parse_name_compat() Date: Wed, 22 Aug 2018 11:22:53 +0200 Message-Id: <975c9640eb5d8b92d190da286a41ef579d1046fb.1534929327.git.sbrivio@redhat.com> In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Wed, 22 Aug 2018 09:23:04 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Wed, 22 Aug 2018 09:23:04 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When check_setname is used in ipset_parse_name_compat(), the 'str' and 'saved' macro arguments point in fact to the same buffer. Free the 'saved' argument only after using it. While at it, remove a useless NULL check on 'saved'. Signed-off-by: Stefano Brivio --- lib/parse.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/parse.c b/lib/parse.c index 9a79ccda796c..4963d519c631 100644 --- a/lib/parse.c +++ b/lib/parse.c @@ -1396,10 +1396,11 @@ ipset_parse_iptimeout(struct ipset_session *session, #define check_setname(str, saved) \ do { \ if (strlen(str) > IPSET_MAXNAMELEN - 1) { \ - if (saved != NULL) \ - free(saved); \ - return syntax_err("setname '%s' is longer than %u characters",\ + int err; \ + err = syntax_err("setname '%s' is longer than %u characters",\ str, IPSET_MAXNAMELEN - 1); \ + free(saved); \ + return err; \ } \ } while (0) From patchwork Wed Aug 22 09:22:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Brivio X-Patchwork-Id: 960866 X-Patchwork-Delegate: kadlec@blackhole.kfki.hu Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41wMXW330Cz9s5c for ; Wed, 22 Aug 2018 19:23:07 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728380AbeHVMrJ (ORCPT ); Wed, 22 Aug 2018 08:47:09 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:42692 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726448AbeHVMrJ (ORCPT ); Wed, 22 Aug 2018 08:47:09 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 540314023ECB; Wed, 22 Aug 2018 09:23:06 +0000 (UTC) Received: from epycfail.redhat.com (ovpn-200-16.brq.redhat.com [10.40.200.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5DE422026D74; Wed, 22 Aug 2018 09:23:05 +0000 (UTC) From: Stefano Brivio To: Jozsef Kadlecsik Cc: netfilter-devel@vger.kernel.org Subject: [PATCH ipset 2/4] Simplify return statement in ipset_mnl_query() Date: Wed, 22 Aug 2018 11:22:54 +0200 Message-Id: <8cdcb4bb3baab5297b880382d70dca8645cc6255.1534929327.git.sbrivio@redhat.com> In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Wed, 22 Aug 2018 09:23:06 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Wed, 22 Aug 2018 09:23:06 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org As we loop as long as 'ret' is greater than zero, and break only if we get an error in mnl_cb_run2 (with ret <= 0), we can just return ret without checking once more if it's greater than zero. Signed-off-by: Stefano Brivio --- lib/mnl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mnl.c b/lib/mnl.c index a0fa66ecdb80..4e075cf94f00 100644 --- a/lib/mnl.c +++ b/lib/mnl.c @@ -115,7 +115,7 @@ ipset_mnl_query(struct ipset_handle *handle, void *buffer, size_t len) ret = mnl_socket_recvfrom(handle->h, buffer, len); D("message received, ret: %d", ret); } - return ret > 0 ? 0 : ret; + return ret; } static struct ipset_handle * From patchwork Wed Aug 22 09:22:55 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Brivio X-Patchwork-Id: 960867 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41wMXX71JQz9s5c for ; Wed, 22 Aug 2018 19:23:08 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728388AbeHVMrL (ORCPT ); Wed, 22 Aug 2018 08:47:11 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57114 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726448AbeHVMrL (ORCPT ); Wed, 22 Aug 2018 08:47:11 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A565A40200A0; Wed, 22 Aug 2018 09:23:07 +0000 (UTC) Received: from epycfail.redhat.com (ovpn-200-16.brq.redhat.com [10.40.200.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id C147F2026D74; Wed, 22 Aug 2018 09:23:06 +0000 (UTC) From: Stefano Brivio To: Jozsef Kadlecsik Cc: netfilter-devel@vger.kernel.org Subject: [PATCH ipset 3/4] Check setname length in session code before copying it Date: Wed, 22 Aug 2018 11:22:55 +0200 Message-Id: <2466195c345bde18c7f288477d0580835cace190.1534929327.git.sbrivio@redhat.com> In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 22 Aug 2018 09:23:07 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 22 Aug 2018 09:23:07 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org We might overrun the buffer used to save it otherwise. Signed-off-by: Stefano Brivio --- lib/session.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/session.c b/lib/session.c index ca96aaa57ea6..7cf3858ca97d 100644 --- a/lib/session.c +++ b/lib/session.c @@ -1069,6 +1069,7 @@ callback_list(struct ipset_session *session, struct nlattr *nla[], if (nla[IPSET_ATTR_DATA] != NULL) { struct nlattr *cattr[IPSET_ATTR_CREATE_MAX+1] = {}; + const char *setname; if (!(nla[IPSET_ATTR_TYPENAME] && nla[IPSET_ATTR_FAMILY] && @@ -1097,7 +1098,12 @@ callback_list(struct ipset_session *session, struct nlattr *nla[], cmd2name[cmd]); if (list_create(session, cattr) != MNL_CB_OK) return MNL_CB_ERROR; - strcpy(session->saved_setname, ipset_data_setname(data)); + setname = ipset_data_setname(data); + if (!setname || strlen(setname) >= IPSET_MAXNAMELEN) + FAILURE("Broken %s kernel message: " + "setname missing or too long!", + cmd2name[cmd]); + strcpy(session->saved_setname, setname); } if (nla[IPSET_ATTR_ADT] != NULL) { @@ -2014,7 +2020,11 @@ ipset_cmd(struct ipset_session *session, enum ipset_cmd cmd, uint32_t lineno) if (session->lineno != 0 && (cmd == IPSET_CMD_ADD || cmd == IPSET_CMD_DEL)) { /* Save setname for the next possible aggregated restore line */ - strcpy(session->saved_setname, ipset_data_setname(data)); + const char *setname = ipset_data_setname(data); + if (!setname || strlen(setname) >= IPSET_MAXNAMELEN) + return ipset_err(session, + "Invalid command: setname missing or too long"); + strcpy(session->saved_setname, setname); ipset_data_reset(data); /* Don't commit: we may aggregate next command */ ret = 0; From patchwork Wed Aug 22 09:22:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Brivio X-Patchwork-Id: 960868 X-Patchwork-Delegate: kadlec@blackhole.kfki.hu Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41wMXZ0zd5z9rvt for ; Wed, 22 Aug 2018 19:23:10 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728400AbeHVMrM (ORCPT ); Wed, 22 Aug 2018 08:47:12 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55416 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726448AbeHVMrM (ORCPT ); Wed, 22 Aug 2018 08:47:12 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 138F97A7ED; Wed, 22 Aug 2018 09:23:09 +0000 (UTC) Received: from epycfail.redhat.com (ovpn-200-16.brq.redhat.com [10.40.200.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id 203802026D74; Wed, 22 Aug 2018 09:23:07 +0000 (UTC) From: Stefano Brivio To: Jozsef Kadlecsik Cc: netfilter-devel@vger.kernel.org Subject: [PATCH ipset 4/4] Fix leak in build_argv() on line parsing error Date: Wed, 22 Aug 2018 11:22:56 +0200 Message-Id: <9cd190197667c6ab13693bb1df1e2dcec4c56e37.1534929327.git.sbrivio@redhat.com> In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Wed, 22 Aug 2018 09:23:09 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Wed, 22 Aug 2018 09:23:09 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Stefano Brivio --- src/ipset.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/ipset.c b/src/ipset.c index ce1b73f51633..14a351a125f2 100644 --- a/src/ipset.c +++ b/src/ipset.c @@ -176,7 +176,7 @@ build_argv(char *buffer) if ((newargc + 1) == (int)(sizeof(newargv)/sizeof(char *))) { exit_error(PARAMETER_PROBLEM, "Line is too long to parse."); - return; + goto out; } switch (*tmp) { case '"': @@ -200,7 +200,7 @@ build_argv(char *buffer) } if (!*(tmp+1) && quoted) { exit_error(PARAMETER_PROBLEM, "Missing close quote!"); - return; + goto out; } if (!*arg) continue; @@ -209,6 +209,7 @@ build_argv(char *buffer) memset(arg, 0, strlen(arg) + 1); i = 0; } +out: free(arg); }