Skip to content

ipfw: fix checking the end of a line #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ipfw: fix checking the end of a line #15

wants to merge 1 commit into from

Conversation

@petrvaganoff
Copy link

@petrvaganoff petrvaganoff commented May 28, 2025
edited
Loading

Found by Fuzzing with AFL++:

# ipfw -n '/vol/fuzz_res/mmopt_ipfw/crashes.2021-08-18-13:16:06/id:000423,sig:06,src:000966+000568,time:82060605,op:splice,rep:4'
=================================================================
==1597==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000000c8 at pc 0x000000572480 bp 0x7ffec85f1370 sp 0x7ffec85f1368
READ of size 1 at 0x60d0000000c8 thread T0
    #0 0x57247f in fill_ip /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/ipfw2.c:2907:10
    #1 0x519921 in add_dstip /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/ipfw2.c:3344:2
    #2 0x519921 in add_dst /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/ipfw2.c:3448:9
    #3 0x519921 in compile_rule /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/ipfw2.c:4039:6
    #4 0x54e163 in ipfw_add /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/ipfw2.c:4699:2
    #5 0x5a3e5c in ipfw_main /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/main.c:406:4
    #6 0x59e8e6 in ipfw_readfile /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/main.c:574:3
    #7 0x59e8e6 in main /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/main.c:617:4
    #8 0x7fab37fec1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #9 0x41e70d in _start (/usr/bin/ipfw+0x41e70d)
 
0x60d0000000c8 is located 0 bytes to the right of 136-byte region [0x60d000000040,0x60d0000000c8)
allocated by thread T0 here:
    #0 0x4c2177 in calloc (/usr/bin/ipfw+0x4c2177)
    #1 0x4f860b in safe_calloc /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/ipfw2.c:496:14
    #2 0x59e8e6 in ipfw_readfile /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/main.c:574:3
    #3 0x59e8e6 in main /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/main.c:617:4
    #4 0x7fab37fec1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
 
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/rpmbuild/BUILD/netmap-ipfw-94a0f7e68c485bcc928894c9369e80d746cca41d/ipfw/ipfw2.c:2907:10 in fill_ip
Shadow bytes around the buggy address:
  0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a7fff8010: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
  0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1597==ABORTING

Under the debugger, it shows that the problem lies
in the lack of checking the end of the line and
the successful access to memory for the line in
the last iteration of the loop, if the line
does not end with the character '}'

@petrvaganoff
ipfw: fix checking the end of a line
86b1141 
    Under the debugger, it shows that the problem lies
    in the lack of checking the end of the line and
    the successful access to memory for the line in
    the last iteration of the loop, if the line
    does not end with the character '}'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@petrvaganoff