[nft PATCH] segtree: Fix segfault when restoring a huge interval set

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nft PATCH] segtree: Fix segfault when restoring a huge interval set
Date: Wed,  9 Jun 2021 16:02:33 +0200	[thread overview]
Message-ID: <20210609140233.8085-1-phil@nwl.cc> (raw)

Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
set_to_segtree() exhausts the stack. Prevent this by allocating the
pointer array on heap and make sure it is freed before returning to
caller.

With this patch in place, restoring said set succeeds with allocation of
about 3GB of memory, according to valgrind.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/segtree.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/segtree.c b/src/segtree.c
index a4e047e79fc4f..9de5422c7d7f6 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -435,10 +435,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
 			  struct expr *init, struct seg_tree *tree,
 			  bool add, bool merge)
 {
-	struct elementary_interval *intervals[init->size];
+	struct elementary_interval **intervals;
 	struct expr *i, *next;
 	unsigned int n;
-	int err;
+	int err = 0;
 
 	/* We are updating an existing set with new elements, check if the new
 	 * interval overlaps with any of the existing ones.
@@ -449,6 +449,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
 			return err;
 	}
 
+	intervals = xmalloc_array(init->size, sizeof(intervals[0]));
 	n = expr_to_intervals(init, tree->keylen, intervals);
 
 	list_for_each_entry_safe(i, next, &init->expressions, list) {
@@ -467,10 +468,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
 	for (n = 0; n < init->size; n++) {
 		err = ei_insert(msgs, tree, intervals[n], merge);
 		if (err < 0)
-			return err;
+			break;
 	}
 
-	return 0;
+	xfree(intervals);
+	return err;
 }
 
 static bool segtree_needs_first_segment(const struct set *set,
-- 
2.31.1

                 reply	other threads:[~2021-06-09 14:02 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a4e047e79fc4 dfblob:9de5422c7d7f )
 OR (
bs:"[nft PATCH] segtree: Fix segfault when restoring a huge interval set" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210609140233.8085-1-phil@nwl.cc \
    --to=phil@nwl.cc \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).