[PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
@ 2024-01-11 22:25 Pablo Neira Ayuso
  2024-01-12 11:41 ` Phil Sutter
  0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-11 22:25 UTC (permalink / raw)
  To: netfilter-devel

Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
the array boundary.

Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/set.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/set.c b/src/set.c
index 719e59616e97..b51ff9e0ba64 100644
--- a/src/set.c
+++ b/src/set.c
@@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
 		memcpy(&s->desc.size, data, sizeof(s->desc.size));
 		break;
 	case NFTNL_SET_DESC_CONCAT:
+		if (data_len > sizeof(s->desc.field_len))
+			return -1;
+
 		memcpy(&s->desc.field_len, data, data_len);
-		while (s->desc.field_len[++s->desc.field_count]);
+		while (s->desc.field_len[++s->desc.field_count]) {
+			if (s->desc.field_count >= NFT_REG32_COUNT)
+				break;
+		}
 		break;
 	case NFTNL_SET_TIMEOUT:
 		memcpy(&s->timeout, data, sizeof(s->timeout));
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
  2024-01-11 22:25 [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter Pablo Neira Ayuso
@ 2024-01-12 11:41 ` Phil Sutter
  2024-01-12 12:07   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Phil Sutter @ 2024-01-12 11:41 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

On Thu, Jan 11, 2024 at 11:25:27PM +0100, Pablo Neira Ayuso wrote:
> Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
> bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
> the array boundary.
> 
> Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  src/set.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/src/set.c b/src/set.c
> index 719e59616e97..b51ff9e0ba64 100644
> --- a/src/set.c
> +++ b/src/set.c
> @@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
>  		memcpy(&s->desc.size, data, sizeof(s->desc.size));
>  		break;
>  	case NFTNL_SET_DESC_CONCAT:
> +		if (data_len > sizeof(s->desc.field_len))
> +			return -1;
> +
>  		memcpy(&s->desc.field_len, data, data_len);
> -		while (s->desc.field_len[++s->desc.field_count]);
> +		while (s->desc.field_len[++s->desc.field_count]) {
> +			if (s->desc.field_count >= NFT_REG32_COUNT)
> +				break;
> +		}

Isn't the second check redundant if you adjust the first one like so:

| if (data_len >= sizeof(s->desc.field_len))

Or more explicit:

| if (data_len > sizeof(s->desc.field_len) -
|                sizeof(s->desc.field_len[0]))

Cheers, Phil

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
  2024-01-12 11:41 ` Phil Sutter
@ 2024-01-12 12:07   ` Pablo Neira Ayuso
  2024-01-12 12:39     ` Phil Sutter
  0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2024-01-12 12:07 UTC (permalink / raw)
  To: Phil Sutter, netfilter-devel

On Fri, Jan 12, 2024 at 12:41:47PM +0100, Phil Sutter wrote:
> On Thu, Jan 11, 2024 at 11:25:27PM +0100, Pablo Neira Ayuso wrote:
> > Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
> > bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
> > the array boundary.
> > 
> > Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > ---
> >  src/set.c | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/set.c b/src/set.c
> > index 719e59616e97..b51ff9e0ba64 100644
> > --- a/src/set.c
> > +++ b/src/set.c
> > @@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
> >  		memcpy(&s->desc.size, data, sizeof(s->desc.size));
> >  		break;
> >  	case NFTNL_SET_DESC_CONCAT:
> > +		if (data_len > sizeof(s->desc.field_len))
> > +			return -1;
> > +
> >  		memcpy(&s->desc.field_len, data, data_len);
> > -		while (s->desc.field_len[++s->desc.field_count]);
> > +		while (s->desc.field_len[++s->desc.field_count]) {
> > +			if (s->desc.field_count >= NFT_REG32_COUNT)
> > +				break;
> > +		}
> 
> Isn't the second check redundant if you adjust the first one like so:
> 
> | if (data_len >= sizeof(s->desc.field_len))
>
> Or more explicit:
> 
> | if (data_len > sizeof(s->desc.field_len) -
> |                sizeof(s->desc.field_len[0]))

I see, you suggest to ensure last item in the array is always zero.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
  2024-01-12 12:07   ` Pablo Neira Ayuso
@ 2024-01-12 12:39     ` Phil Sutter
  0 siblings, 0 replies; 4+ messages in thread
From: Phil Sutter @ 2024-01-12 12:39 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

On Fri, Jan 12, 2024 at 01:07:36PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Jan 12, 2024 at 12:41:47PM +0100, Phil Sutter wrote:
> > On Thu, Jan 11, 2024 at 11:25:27PM +0100, Pablo Neira Ayuso wrote:
> > > Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
> > > bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
> > > the array boundary.
> > > 
> > > Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > ---
> > >  src/set.c | 8 +++++++-
> > >  1 file changed, 7 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/src/set.c b/src/set.c
> > > index 719e59616e97..b51ff9e0ba64 100644
> > > --- a/src/set.c
> > > +++ b/src/set.c
> > > @@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
> > >  		memcpy(&s->desc.size, data, sizeof(s->desc.size));
> > >  		break;
> > >  	case NFTNL_SET_DESC_CONCAT:
> > > +		if (data_len > sizeof(s->desc.field_len))
> > > +			return -1;
> > > +
> > >  		memcpy(&s->desc.field_len, data, data_len);
> > > -		while (s->desc.field_len[++s->desc.field_count]);
> > > +		while (s->desc.field_len[++s->desc.field_count]) {
> > > +			if (s->desc.field_count >= NFT_REG32_COUNT)
> > > +				break;
> > > +		}
> > 
> > Isn't the second check redundant if you adjust the first one like so:
> > 
> > | if (data_len >= sizeof(s->desc.field_len))
> >
> > Or more explicit:
> > 
> > | if (data_len > sizeof(s->desc.field_len) -
> > |                sizeof(s->desc.field_len[0]))
> 
> I see, you suggest to ensure last item in the array is always zero.

This is what's required by the while loop in the original form, I don't
see a real reason for it, though.

Cheers, Phil

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-01-12 12:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-11 22:25 [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter Pablo Neira Ayuso
2024-01-12 11:41 ` Phil Sutter
2024-01-12 12:07   ` Pablo Neira Ayuso
2024-01-12 12:39     ` Phil Sutter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.