From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
Date: Fri, 12 Jan 2024 13:39:02 +0100 [thread overview]
Message-ID: <ZaEy5uMXwpAzrVBb@orbyte.nwl.cc> (raw)
In-Reply-To: <ZaEriPoMQCKqu3/H@calendula>
On Fri, Jan 12, 2024 at 01:07:36PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Jan 12, 2024 at 12:41:47PM +0100, Phil Sutter wrote:
> > On Thu, Jan 11, 2024 at 11:25:27PM +0100, Pablo Neira Ayuso wrote:
> > > Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
> > > bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
> > > the array boundary.
> > >
> > > Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > ---
> > > src/set.c | 8 +++++++-
> > > 1 file changed, 7 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/src/set.c b/src/set.c
> > > index 719e59616e97..b51ff9e0ba64 100644
> > > --- a/src/set.c
> > > +++ b/src/set.c
> > > @@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
> > > memcpy(&s->desc.size, data, sizeof(s->desc.size));
> > > break;
> > > case NFTNL_SET_DESC_CONCAT:
> > > + if (data_len > sizeof(s->desc.field_len))
> > > + return -1;
> > > +
> > > memcpy(&s->desc.field_len, data, data_len);
> > > - while (s->desc.field_len[++s->desc.field_count]);
> > > + while (s->desc.field_len[++s->desc.field_count]) {
> > > + if (s->desc.field_count >= NFT_REG32_COUNT)
> > > + break;
> > > + }
> >
> > Isn't the second check redundant if you adjust the first one like so:
> >
> > | if (data_len >= sizeof(s->desc.field_len))
> >
> > Or more explicit:
> >
> > | if (data_len > sizeof(s->desc.field_len) -
> > | sizeof(s->desc.field_len[0]))
>
> I see, you suggest to ensure last item in the array is always zero.
This is what's required by the while loop in the original form, I don't
see a real reason for it, though.
Cheers, Phil
prev parent reply other threads:[~2024-01-12 12:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-11 22:25 [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter Pablo Neira Ayuso
2024-01-12 11:41 ` Phil Sutter
2024-01-12 12:07 ` Pablo Neira Ayuso
2024-01-12 12:39 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZaEy5uMXwpAzrVBb@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.