Bug 588699 - iptables cause buffer overflow for tables with names with length of 29 or 30 chars
Summary: iptables cause buffer overflow for tables with names with length of 29 or 30 ...
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 12
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-04 10:27 UTC by Jaiv
Modified: 2010-12-03 15:06 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2010-12-03 15:06:34 UTC

Attachments (Terms of Use)

Description Jaiv 2010-05-04 10:27:08 UTC
Description of problem:

Iptables of the version 1.4.5-1 allows you to create table with the name of maximum length of 30 chars. However if you create name with the length of 29 or 30 chars and then you try to enter jump rule into that table, you will get buffer overflow and backtrace. Am I the only one using long table names? ;) Common guys!!!

Version-Release number of selected component (if applicable):
I saw the same behaviour on both x86_64 and i686 systems:
- iptables-1.4.5-1.fc12.x86_64 (glibc-2.11.1-4.x86_64, kernel-
- iptables-1.4.5-1.fc12.i686 (glibc-2.11.1-4.i686, kernel- and also tested on kernel- 

How reproducible:

Steps to Reproduce:
1. iptables -N log_deny_non_phost_abcde_rngs
2. iptables -A FORWARD -p ICMP -j log_deny_non_phost_abcde_rngs
Actual results:
 *** buffer overflow detected ***: iptables terminated
======= Backtrace: =========
======= Memory map: ========
00187000-00188000 r-xp 00000000 00:00 0          [vdso]
00208000-00377000 r-xp 00000000 fd:06 138808     /lib/libc-2.11.1.so
00377000-00379000 r--p 0016e000 fd:06 138808     /lib/libc-2.11.1.so
00379000-0037a000 rw-p 00170000 fd:06 138808     /lib/libc-2.11.1.so
0037a000-0037d000 rw-p 00000000 00:00 0
005a3000-005aa000 r-xp 00000000 fd:06 160597     /usr/lib/libxtables.so.2.1.0
005aa000-005ab000 rw-p 00006000 fd:06 160597     /usr/lib/libxtables.so.2.1.0
005ad000-005b3000 r-xp 00000000 fd:06 173402     /usr/lib/libip4tc.so.0.0.0
005b3000-005b4000 rw-p 00005000 fd:06 173402     /usr/lib/libip4tc.so.0.0.0
0061c000-0063a000 r-xp 00000000 fd:06 132968     /lib/ld-2.11.1.so
0063a000-0063b000 r--p 0001d000 fd:06 132968     /lib/ld-2.11.1.so
0063b000-0063c000 rw-p 0001e000 fd:06 132968     /lib/ld-2.11.1.so
00b81000-00b9e000 r-xp 00000000 fd:06 212712     /lib/libgcc_s-4.4.3-20100127.so                               .1
00b9e000-00b9f000 rw-p 0001c000 fd:06 212712     /lib/libgcc_s-4.4.3-20100127.so                               .1
00c22000-00c23000 r-xp 00000000 fd:06 133824     /lib/xtables/libxt_standard.so
00c23000-00c24000 rw-p 00000000 fd:06 133824     /lib/xtables/libxt_standard.so
00d25000-00d30000 r-xp 00000000 fd:06 138822     /lib/libnss_files-2.11.1.so
00d30000-00d31000 r--p 0000a000 fd:06 138822     /lib/libnss_files-2.11.1.so
00d31000-00d32000 rw-p 0000b000 fd:06 138822     /lib/libnss_files-2.11.1.so
00e47000-00e6f000 r-xp 00000000 fd:06 138815     /lib/libm-2.11.1.so
00e6f000-00e70000 r--p 00027000 fd:06 138815     /lib/libm-2.11.1.so
00e70000-00e71000 rw-p 00028000 fd:06 138815     /lib/libm-2.11.1.so
00fcd000-00fd0000 r-xp 00000000 fd:06 138813     /lib/libdl-2.11.1.so
00fd0000-00fd1000 r--p 00002000 fd:06 138813     /lib/libdl-2.11.1.so
00fd1000-00fd2000 rw-p 00003000 fd:06 138813     /lib/libdl-2.11.1.so
08047000-08054000 r-xp 00000000 fd:06 180147     /sbin/iptables-multi
08054000-08055000 rw-p 0000d000 fd:06 180147     /sbin/iptables-multi
08055000-0809c000 rw-p 00000000 00:00 0
08e78000-08e99000 rw-p 00000000 00:00 0          [heap]
b78be000-b78c0000 rw-p 00000000 00:00 0
b78d6000-b78d7000 rw-p 00000000 00:00 0
bfe8d000-bfea2000 rw-p 00000000 00:00 0          [stack]
Aborted (core dumped)

Expected results:
No core dump ;)

Additional info:
Workaround: Use names with the length up to 28 chars (including)
iptables -N log_deny_non_phost_abcde_rn
iptables -A FORWARD -p ICMP -j log_deny_non_phost_abcde_rn
(no core dumped as names is 28 chars)

Comment 1 Jaiv 2010-05-04 11:03:22 UTC
Sorry guys I swapped kernel versions here are corrected data:

- iptables-1.4.5-1.fc12.x86_64
  kernel- and also tested on
- iptables-1.4.5-1.fc12.i686 

Comment 2 Bug Zapper 2010-11-03 15:41:06 UTC
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Comment 3 Bug Zapper 2010-12-03 15:06:34 UTC
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.