* [PATCH nft] payload: assert when accessing inner transport header
@ 2015-01-05 12:04 Pablo Neira Ayuso
2015-01-05 12:06 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2015-01-05 12:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber
Instead of segfaulting due to out of bound access access to protocol
context array ctx->protocol[base].location from proto_ctx_update().
# nft add rule filter input ah nexthdr tcp
nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
So we avoid a crash. I think we have to add PROTO_BASE_INNER_HDR to proto_bases
and add some extra offsets for the inner header for this case. At least, I'd
like to put this in the tree so we have this in our radar.
src/payload.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/payload.c b/src/payload.c
index 83742fb..08578fd 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -85,6 +85,7 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
base = ctx->protocol[left->payload.base].desc;
desc = proto_find_upper(base, proto);
+ assert(left->payload.base + 1 <= PROTO_BASE_MAX);
proto_ctx_update(ctx, left->payload.base + 1, &expr->location, desc);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nft] payload: assert when accessing inner transport header
2015-01-05 12:04 [PATCH nft] payload: assert when accessing inner transport header Pablo Neira Ayuso
@ 2015-01-05 12:06 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2015-01-05 12:06 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 05.01, Pablo Neira Ayuso wrote:
> Instead of segfaulting due to out of bound access access to protocol
> context array ctx->protocol[base].location from proto_ctx_update().
>
> # nft add rule filter input ah nexthdr tcp
> nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> So we avoid a crash. I think we have to add PROTO_BASE_INNER_HDR to proto_bases
> and add some extra offsets for the inner header for this case. At least, I'd
> like to put this in the tree so we have this in our radar.
Yep, this looks fine for now. I'll think about a proper fix as well.
>
> src/payload.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/payload.c b/src/payload.c
> index 83742fb..08578fd 100644
> --- a/src/payload.c
> +++ b/src/payload.c
> @@ -85,6 +85,7 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
> base = ctx->protocol[left->payload.base].desc;
> desc = proto_find_upper(base, proto);
>
> + assert(left->payload.base + 1 <= PROTO_BASE_MAX);
> proto_ctx_update(ctx, left->payload.base + 1, &expr->location, desc);
> }
>
> --
> 1.7.10.4
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-01-05 12:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-05 12:04 [PATCH nft] payload: assert when accessing inner transport header Pablo Neira Ayuso
2015-01-05 12:06 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).