netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nft] owner: Fix potential array out of bounds access
@ 2022-12-21 16:37 Pablo Neira Ayuso
  2022-12-21 16:41 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-21 16:37 UTC (permalink / raw)
  To: netfilter-devel; +Cc: phil

If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
return 'sizeof(tmp)'. Using this value as index is illegal.

Original update from Phil, for the conntrack-tools tree, which also has
a copy of this function.

Fixes: 6d085b22a8b5 ("table: support for the table owner flag")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Same as:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20221220153847.24152-2-phil@nwl.cc/

 src/owner.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/owner.c b/src/owner.c
index 2d98a2e98028..20bed38b2a09 100644
--- a/src/owner.c
+++ b/src/owner.c
@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode)
 			continue;
 
 		rl = readlink(procname, tmp, sizeof(tmp));
-		if (rl <= 0 || rl > (ssize_t)sizeof(tmp))
+		if (rl <= 0 || rl >= (ssize_t)sizeof(tmp))
 			continue;
 
 		tmp[rl] = 0;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-12-21 16:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-21 16:37 [PATCH nft] owner: Fix potential array out of bounds access Pablo Neira Ayuso
2022-12-21 16:41 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).