Bug 62850 (CVE-2004-0986)

Summary:	VUL-0: CVE-2004-0986: uninitialised variable in iptables
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Ludwig Nussel <lnussel>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	meissner, patch-request, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0986: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	iptables.patch.box iptables.patch.maintained

Description Ludwig Nussel 2004-11-02 20:55:07 UTC

We received the following report via vendor-sec.
The issue is public.

Date: Tue, 26 Oct 2004 16:32:18 +0200
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0986: iptables and ip6tables fail to load ipt* kernel modules

Hi,

due to an uninitialised variable iptables and ip6tables fail to
load the proper kernel modules, which may result in rules not
implemented.  The fix is easy and I'm attaching the official
upstream correction.  This problem is already public through
our bugtracking system and netfilter-dev.

Regards,

	Joey

-- 
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.

Index: iptables.c
===================================================================
--- iptables.c	(revision 3243)
+++ iptables.c	(working copy)
 	int procfile;
 	char *ret;
 
+#define PROCFILE_BUFSIZ	1024
 	procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
 	if (procfile < 0)
 		return NULL;
 
-	ret = malloc(1024);
+	ret = (char *) malloc(PROCFILE_BUFSIZ);
 	if (ret) {
-		switch (read(procfile, ret, 1024)) {
+		memset(ret, 0, PROCFILE_BUFSIZ);
+		switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
 		case -1: goto fail;
-		case 1024: goto fail; /* Partial read.  Wierd */
+		case PROCFILE_BUFSIZ: goto fail; /* Partial read.  Wierd */
 		}
 		if (ret[strlen(ret)-1]=='\n') 
 			ret[strlen(ret)-1]=0;
Index: ip6tables.c
===================================================================
--- ip6tables.c	(revision 3243)
+++ ip6tables.c	(working copy)
 	int procfile;
 	char *ret;
 
+#define PROCFILE_BUFSIZ 1024
 	procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
 	if (procfile < 0)
 		return NULL;
 
-	ret = malloc(1024);
+	ret = malloc(PROCFILE_BUFSIZ);
 	if (ret) {
-		switch (read(procfile, ret, 1024)) {
+		memset(ret, 0, PROCFILE_BUFSIZ);
+		switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
 		case -1: goto fail;
-		case 1024: goto fail; /* Partial read.  Wierd */
+		case PROCFILE_BUFSIZ: goto fail; /* Partial read.  Wierd */
 		}
 		if (ret[strlen(ret)-1]=='\n') 
 			ret[strlen(ret)-1]=0;

Comment 1 Marcus Meissner 2004-11-02 20:57:32 UTC

*** Bug 62849 has been marked as a duplicate of this bug. ***

Comment 2 Petr Ostadal 2004-11-03 00:03:15 UTC

I fixed and submited packages for ul1, 8.2, 9.0, sles9, 9.2 and STABLE, you can
 create and submit patchinfo.

Comment 3 Ludwig Nussel 2004-11-03 01:07:04 UTC

Created attachment 25709 [details]
iptables.patch.box

Comment 4 Ludwig Nussel 2004-11-03 01:07:16 UTC

Created attachment 25710 [details]
iptables.patch.maintained

Comment 5 Marcus Meissner 2004-11-25 21:28:24 UTC

updates released.

Comment 6 Thomas Biege 2009-10-13 19:57:34 UTC

CVE-2004-0986: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)