On 05.01, Pablo Neira Ayuso wrote: > Instead of segfaulting due to out of bound access access to protocol > context array ctx->protocol[base].location from proto_ctx_update(). > > # nft add rule filter input ah nexthdr tcp > nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > So we avoid a crash. I think we have to add PROTO_BASE_INNER_HDR to proto_bases > and add some extra offsets for the inner header for this case. At least, I'd > like to put this in the tree so we have this in our radar. Yep, this looks fine for now. I'll think about a proper fix as well. > > src/payload.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/payload.c b/src/payload.c > index 83742fb..08578fd 100644 > --- a/src/payload.c > +++ b/src/payload.c > @@ -85,6 +85,7 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, > base = ctx->protocol[left->payload.base].desc; > desc = proto_find_upper(base, proto); > > + assert(left->payload.base + 1 <= PROTO_BASE_MAX); > proto_ctx_update(ctx, left->payload.base + 1, &expr->location, desc); > } > > -- > 1.7.10.4 > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html