Skip to content

Fix command injection and integer handling vulnerabilities in wire server #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sharadboni wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix command injection and integer handling vulnerabilities in wire server #99

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bda9ae7
net-test: packetdrill: validate IP string before building iptables co…
sharadboni Apr 27, 2026
e074e79
net-test: packetdrill: add bounds check in nla_expr_list_to_nla
sharadboni Apr 27, 2026
8a60e34
net-test: packetdrill: reject negative optlen in syscall_getsockopt
sharadboni Apr 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions gtests/net/packetdrill/run_system_call.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -506,6 +506,10 @@ static int nla_expr_list_to_nla(struct expression_list *list,
die("out of bound u32 value specified\n");

get_nla_value(value, &val, num_bytes);
if ((char *)dst + NLA_ALIGN(NLA_HDRLEN + num_bytes) - (char *)start > dst_len) {
asprintf(error, "NLA buffer overflow: dst_len=%d exceeded", dst_len);
return STATUS_ERR;
}
dst += add_nla(dst, key_num, nla_info[key_num].length, &val);
}

Expand Down Expand Up @@ -2583,6 +2587,10 @@ static int syscall_getsockopt(struct state *state, struct syscall_spec *syscall,
return STATUS_ERR;

/* Allocate space for getsockopt output. */
if (script_optlen < 0) {
asprintf(error, "getsockopt: negative optlen %d", script_optlen);
return STATUS_ERR;
}
live_optlen = script_optlen;
live_optval = calloc(1, live_optlen + 1);
assert(live_optval != NULL);
Expand Down
18 changes: 18 additions & 0 deletions gtests/net/packetdrill/wire_server_netdev.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@

#include "wire_server_netdev.h"

#include <ctype.h>
#include <stdlib.h>
#include <string.h>
#include <sys/uio.h>
Expand Down Expand Up @@ -109,6 +110,17 @@ static void wire_server_netdev_dump_firewall_rules(const struct config *config)
#endif
}

/* Validate that a string looks like an IP address (no shell metacharacters). */
static bool is_safe_ip_string(const char *s)
{
if (!s) return false;
for (; *s; ++s) {
if (!isalnum((unsigned char)*s) && *s != '.' && *s != ':' && *s != '%')
return false;
}
return true;
}

/* Drop incoming test traffic packets from the kernel under test, before they
* are seen by the TCP/UDP/etc layers of the wire server machine. In some cases
* (e.g., if a network does not allow spoofing) the packetdrill test traffic
Expand All @@ -123,6 +135,9 @@ static void wire_server_netdev_drop_test_traffic(const struct config *config)
#ifdef linux
char *command = NULL;

if (!is_safe_ip_string(config->live_local_ip_string))
die("wire_server_netdev: unsafe IP address string\n");

asprintf(&command,
"("
/* drop TCP to connect port: */
Expand Down Expand Up @@ -156,6 +171,9 @@ static void wire_server_netdev_permit_test_traffic(const struct config *config)
#ifdef linux
char *command = NULL;

if (!is_safe_ip_string(config->live_local_ip_string))
die("wire_server_netdev: unsafe IP address string\n");

asprintf(&command,
"("
/* TCP to connect port: */
Expand Down