From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: There are a couple out of bounds accesses in iptables REJECT and rpcs extensions. They would print garbage, core dump the program, or act badly. The net effect could be bad if it choked - leaving a table in an unknown state. I will attach a patch that fixes it. Version-Release number of selected component (if applicable): iptables-1.2.11-2 How reproducible: Didn't try Steps to Reproduce: 1. Found in code review. Additional info:
Created attachment 103490 [details] Patch that addresses the oob accesses
The second part of the patch is accepted by the netfilter core team, but the first part is not. I will apply the second part, but not the first.
What's wrong with the first part? Here's the core of the problem: for (i=0; i<sizeof(reject_table)/sizeof(struct reject_names); i++) { if (reject_table[i].with == reject->with) break; } printf("reject-with %s ", reject_table[i].name); What if the break is never hit and i > the last legal entry. The unconditional printf will index beyond the reject_table.
Fixed in rawhide in rpm iptables-1.3.0-2 or newer.