From: Florian Westphal <fw@strlen.de>
To: Jenny Guanni Qu <qguanni@gmail.com>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org,
kadlec@netfilter.org, w@1wt.eu
Subject: Re: [PATCH] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
Date: Fri, 6 Mar 2026 09:18:03 +0100 [thread overview]
Message-ID: <aaqNu3eCF3f5aAvT@strlen.de> (raw)
In-Reply-To: <20260306080854.908476-1-qguanni@gmail.com>
Jenny Guanni Qu <qguanni@gmail.com> wrote:
> pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the
> to_offset argument on every iteration, including the last one where
> i == m->field_count - 1. This reads one element past the end of the
> stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]
> with NFT_PIPAPO_MAX_FIELDS == 16).
Thanks, patch looks correct to me.
> diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
> index 7ef4b44471d3..9fb83fc05848 100644
> --- a/net/netfilter/nft_set_pipapo.c
> +++ b/net/netfilter/nft_set_pipapo.c
> @@ -1659,7 +1659,8 @@ static void pipapo_drop(struct nft_pipapo_match *m,
> }
>
> pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n,
> - rulemap[i + 1].n, i == m->field_count - 1);
> + i == m->field_count - 1 ? 0 : rulemap[i + 1].n,
> + i == m->field_count - 1);
Small nit, could you add
bool last = i == m->field_count - 1;
and then use 'last ? 0 : ..., last) ?
This idiom is used elsewhere in the file as well and I think it makes
this sligthly more readable.
Thanks!
prev parent reply other threads:[~2026-03-06 8:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-06 8:08 [PATCH] netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() Jenny Guanni Qu
2026-03-06 8:18 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaqNu3eCF3f5aAvT@strlen.de \
--to=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=qguanni@gmail.com \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.