Re: [PATCH nf v2] netfilter: nf_tables: fix destination register zeroing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf v2] netfilter: nf_tables: fix destination register zeroing
Date: Fri, 21 Aug 2020 17:41:27 +0200	[thread overview]
Message-ID: <20200821154127.GA31079@salvia> (raw)
In-Reply-To: <20200820190550.7736-1-fw@strlen.de>

On Thu, Aug 20, 2020 at 09:05:50PM +0200, Florian Westphal wrote:
> Following bug was reported via irc:
> nft list ruleset
>    set knock_candidates_ipv4 {
>       type ipv4_addr . inet_service
>       size 65535
>       elements = { 127.0.0.1 . 123,
>                    127.0.0.1 . 123 }
>       }
>  ..
>    udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 }
>    udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }
> 
> It should not have been possible to add a duplicate set entry.
> 
> After some debugging it turned out that the problem is the immediate
> value (123) in the second-to-last rule.
> 
> Concatenations use 32bit registers, i.e. the elements are 8 bytes each,
> not 6 and it turns out the kernel inserted
> 
> inet firewall @knock_candidates_ipv4
>         element 0100007f ffff7b00  : 0 [end]
>         element 0100007f 00007b00  : 0 [end]
> 
> Note the non-zero upper bits of the first element.  It turns out that
> nft_immediate doesn't zero the destination register, but this is needed
> when the length isn't a multiple of 4.
> 
> Furthermore, the zeroing in nft_payload is broken.  We can't use
> [len / 4] = 0 -- if len is a multiple of 4, index is off by one.
> 
> Skip zeroing in this case and use a conditional instead of (len -1) / 4.

Applied, thanks.

     prev parent reply	other threads:[~2020-08-21 15:41 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-20 19:05 [PATCH nf v2] netfilter: nf_tables: fix destination register zeroing Florian Westphal
2020-08-21 15:41 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200821154127.GA31079@salvia \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.