[BUG] libnftnl: missing length validation in Geneve tunnel option handling

public inbox for netfilter-devel@vger.kernel.org
 help / color / mirror / Atom feed

* [BUG] libnftnl: missing length validation in Geneve tunnel option handling
@ 2026-03-11  1:37 侯朋朋
  2026-03-11  9:12 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: 侯朋朋 @ 2026-03-11  1:37 UTC (permalink / raw)
  To: netfilter-devel

Hi netfilter developers,

I would like to report two length-validation issues in libnftnl, both in the Geneve tunnel option handling in src/obj/tunnel.c.
These appear to be memory-safety bugs caused by missing bounds checks in fixed-size destinations.

## Issue 1: missing length validation in public setter

Function:
nftnl_tunnel_opt_geneve_set()

Problem:
For NFTNL_TUNNEL_GENEVE_CLASS and NFTNL_TUNNEL_GENEVE_TYPE,
data_len is used directly in memcpy() without validating that it matches
the destination field size.

Relevant code pattern:

case NFTNL_TUNNEL_GENEVE_CLASS:
memcpy(&opt->geneve.geneve_class, data, data_len);
break;
case NFTNL_TUNNEL_GENEVE_TYPE:
memcpy(&opt->geneve.type, data, data_len);
break;

The destination fields are fixed-size:
geneve_class: 2 bytes
type: 1 byte

So a caller can pass a larger data_len and overwrite subsequent fields
inside the Geneve sub-structure.

## Issue 2: missing upper-bound check in Netlink parsing path

Function:
nftnl_obj_tunnel_parse_geneve()

Problem:
The parser copies the NFTA_TUNNEL_KEY_GENEVE_DATA payload into a fixed
127-byte buffer without checking whether the payload length exceeds the
destination capacity.

Relevant code pattern:

if (tb[NFTA_TUNNEL_KEY_GENEVE_DATA]) {
uint32_t len = mnl_attr_get_payload_len(tb[NFTA_TUNNEL_KEY_GENEVE_DATA]);
memcpy(opt->geneve.data,
mnl_attr_get_payload(tb[NFTA_TUNNEL_KEY_GENEVE_DATA]),
len);
opt->geneve.data_len = len;
}

The destination buffer is:
opt->geneve.data[127]

If len > 127, this overwrites the following field(s) and may corrupt
adjacent memory.

## Suggested fixes

1. In nftnl_tunnel_opt_geneve_set():

   * require data_len == sizeof(uint16_t) for NFTNL_TUNNEL_GENEVE_CLASS
   * require data_len == sizeof(uint8_t) for NFTNL_TUNNEL_GENEVE_TYPE

2. In nftnl_obj_tunnel_parse_geneve():

   * reject payloads where len > NFTNL_TUNNEL_GENEVE_DATA_MAXLEN

For example:
if (len > NFTNL_TUNNEL_GENEVE_DATA_MAXLEN)
return -1;

Best regards,
Pengpeng Hou
pengpeng@iscas.ac.cn 

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [BUG] libnftnl: missing length validation in Geneve tunnel option handling
  2026-03-11  1:37 [BUG] libnftnl: missing length validation in Geneve tunnel option handling 侯朋朋
@ 2026-03-11  9:12 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2026-03-11  9:12 UTC (permalink / raw)
  To: 侯朋朋; +Cc: netfilter-devel

Hi,

On Wed, Mar 11, 2026 at 09:37:13AM +0800, 侯朋朋 wrote:
> Hi netfilter developers,
> 
> I would like to report two length-validation issues in libnftnl, both in the Geneve tunnel option handling in src/obj/tunnel.c.
> These appear to be memory-safety bugs caused by missing bounds checks in fixed-size destinations.

Please, send patches.

That is the best way you can contribute to a FOSS community-based
project like this one.

Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-11  9:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-11  1:37 [BUG] libnftnl: missing length validation in Geneve tunnel option handling 侯朋朋
2026-03-11  9:12 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox