Re: [PATCH nft] payload: assert when accessing inner transport header

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05.01, Pablo Neira Ayuso wrote:
> Instead of segfaulting due to out of bound access access to protocol
> context array ctx->protocol[base].location from proto_ctx_update().
> 
>  # nft add rule filter input ah nexthdr tcp
>  nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> So we avoid a crash. I think we have to add PROTO_BASE_INNER_HDR to proto_bases
> and add some extra offsets for the inner header for this case. At least, I'd
> like to put this in the tree so we have this in our radar.

Yep, this looks fine for now. I'll think about a proper fix as well.

> 
>  src/payload.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/payload.c b/src/payload.c
> index 83742fb..08578fd 100644
> --- a/src/payload.c
> +++ b/src/payload.c
> @@ -85,6 +85,7 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
>  	base = ctx->protocol[left->payload.base].desc;
>  	desc = proto_find_upper(base, proto);
>  
> +	assert(left->payload.base + 1 <= PROTO_BASE_MAX);
>  	proto_ctx_update(ctx, left->payload.base + 1, &expr->location, desc);
>  }
>  
> -- 
> 1.7.10.4
> 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux