[libnftnl PATCH] target: Fix an invalid read.

[libnftnl PATCH] target: Fix an invalid read.

[Ana Rey]

Valgrind reports the following invalid read:

$ sudo valgrind --leak-check=full ./nft-parsing-test -f ../jsonfiles/35-rule-target.json

==26018== Invalid read of size 8
==26018==    at 0x4E484E3: nft_rule_expr_target_set (target.c:46)
==26018==    by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018==    by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018==    by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018==    by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018==    by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018==    by 0x401479: test_json (nft-parsing-test.c:129)
==26018==    by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018==    by 0x400EBB: main (nft-parsing-test.c:332)
==26018==  Address 0x5c34a60 is 0 bytes inside a block of size 4 alloc'd
==26018==    at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018==    by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 8
==26018==    at 0x4E484ED: nft_rule_expr_target_set (target.c:46)
==26018==    by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018==    by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018==    by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018==    by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018==    by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018==    by 0x401479: test_json (nft-parsing-test.c:129)
==26018==    by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018==    by 0x400EBB: main (nft-parsing-test.c:332)
==26018==  Address 0x5c34a68 is 4 bytes after a block of size 4 alloc'd
==26018==    at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018==    by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 8
==26018==    at 0x4E484F5: nft_rule_expr_target_set (target.c:46)
==26018==    by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018==    by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018==    by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018==    by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018==    by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018==    by 0x401479: test_json (nft-parsing-test.c:129)
==26018==    by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018==    by 0x400EBB: main (nft-parsing-test.c:332)
==26018==  Address 0x5c34a70 is 12 bytes after a block of size 4 alloc'd
==26018==    at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018==    by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==
==26018== Invalid read of size 4
==26018==    at 0x4E484FD: nft_rule_expr_target_set (target.c:46)
==26018==    by 0x4E40B54: nft_rule_expr_set (expr.c:73)
==26018==    by 0x4E48167: nft_rule_expr_target_json_parse (target.c:185)
==26018==    by 0x4E4091D: nft_jansson_expr_parse (jansson.c:206)
==26018==    by 0x4E3B769: nft_jansson_parse_rule (rule.c:606)
==26018==    by 0x4E3F055: nft_ruleset_do_parse (ruleset.c:312)
==26018==    by 0x401479: test_json (nft-parsing-test.c:129)
==26018==    by 0x4017C2: execute_test_file (nft-parsing-test.c:270)
==26018==    by 0x400EBB: main (nft-parsing-test.c:332)
==26018==  Address 0x5c34a78 is 20 bytes after a block of size 4 alloc'd
==26018==    at 0x4C274A0: malloc (vg_replace_malloc.c:291)
==26018==    by 0x56834FF: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5685825: json_string_nocheck (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682A3F: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682C5D: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682ADE: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5682EDD: ??? (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)
==26018==    by 0x5683295: json_loadf (in /usr/lib/x86_64-linux-gnu/libjansson.so.4.6.0)

Signed-off-by: Ana Rey <anarey@gmail.com>
---
 src/expr/target.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/expr/target.c b/src/expr/target.c
index 36e37de..072f25f 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -42,8 +42,8 @@ nft_rule_expr_target_set(struct nft_rule_expr *e, uint16_t type,
 
 	switch(type) {
 	case NFT_EXPR_TG_NAME:
-		memcpy(tg->name, data, XT_EXTENSION_MAXNAMELEN);
-		tg->name[XT_EXTENSION_MAXNAMELEN-1] = '\0';
+		memcpy(tg->name, data, strlen(data));
+		tg->name[strlen(data)+1] = '\0';
 		break;
 	case NFT_EXPR_TG_REV:
 		tg->rev = *((uint32_t *)data);
-- 
1.9.0

[libnftnl PATCH] tests: Fix a memory leak

[Ana Rey]

Free nft_parse_err struct when there is an error in execute_test function.

It solves the following memory leak shown by valgrind.

==7845== 24 bytes in 1 blocks are still reachable in loss record 1 of 2
==7845==    at 0x4C29590: calloc (vg_replace_malloc.c:618)
==7845==    by 0x401740: execute_test_file (nft-parsing-test.c:249)
==7845==    by 0x400EBB: main (nft-parsing-test.c:330)

Signed-off-by: Ana Rey <anarey@gmail.com>
---
 tests/nft-parsing-test.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/nft-parsing-test.c b/tests/nft-parsing-test.c
index 952ffbf..2a15109 100644
--- a/tests/nft-parsing-test.c
+++ b/tests/nft-parsing-test.c
@@ -263,6 +263,7 @@ static int execute_test_file(const char *filename)
 				printf("\033[32mOK\e[0m\n");
 			}
 		}
+		nft_parse_err_free(err);
 		exit(EXIT_FAILURE);
 	}
 	if (strcmp(&filename[len-5], ".json") == 0) {
@@ -273,6 +274,7 @@ static int execute_test_file(const char *filename)
 				printf("\033[32mOK\e[0m\n");
 			}
 		}
+		nft_parse_err_free(err);
 		exit(EXIT_FAILURE);
 	}
 
-- 
1.9.0

Re: [libnftnl PATCH] target: Fix an invalid read.

[Florian Westphal]

Ana Rey <anarey@gmail.com> wrote:
> --- a/src/expr/target.c
> +++ b/src/expr/target.c
> @@ -42,8 +42,8 @@ nft_rule_expr_target_set(struct nft_rule_expr *e, uint16_t type,
>  
>  	switch(type) {
>  	case NFT_EXPR_TG_NAME:
> -		memcpy(tg->name, data, XT_EXTENSION_MAXNAMELEN);
> -		tg->name[XT_EXTENSION_MAXNAMELEN-1] = '\0';
> +		memcpy(tg->name, data, strlen(data));

This can overflow tg->name, since the size of the source
is tested instead of destination.

What about:

snprintf(tg->name, sizeof(tg->name), "%.*s", data_len, (const char *) data);

?

Re: [libnftnl PATCH] tests: Fix a memory leak

[Pablo Neira Ayuso]

On Sun, Apr 13, 2014 at 08:08:34PM +0200, Ana Rey wrote:
> Free nft_parse_err struct when there is an error in execute_test function.
> 
> It solves the following memory leak shown by valgrind.
> 
> ==7845== 24 bytes in 1 blocks are still reachable in loss record 1 of 2
> ==7845==    at 0x4C29590: calloc (vg_replace_malloc.c:618)
> ==7845==    by 0x401740: execute_test_file (nft-parsing-test.c:249)
> ==7845==    by 0x400EBB: main (nft-parsing-test.c:330)

Applied, thanks.