On Mon, Mar 06, 2017 at 12:02:52AM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@xxxxxxxxx>
>
> Currently we just assume the element key as a u32 integer, regardless of
> the set key length.
>
> This is incorrect, for example, the tcp port number is only 16 bits.
> So when we use the nft_payload expr to get the tcp dport and store
> it to dreg, the dport will be stored at 0~15 bits, and 16~31 bits
> will be padded with zero.
>
> So the reg->data[dreg] will be looked like as below:
> 0 15 31
> +-+-+-+-+-+-+-+-+-+-+-+-+
> | tcp dport | 0 |
> +-+-+-+-+-+-+-+-+-+-+-+-+
> But for these big-endian systems, if we treate this register as a u32
> integer, the element key will be larger than 65535, so the following
> lookup in bitmap set will cause out of bound access.
>
> Another issue is that if we add element with comments in bitmap
> set(although the comments will be ignored eventually), the element will
> vanish strangely. Because we treate the element key as a u32 integer, so
> the comments will become the part of the element key, then the element
> key will also be larger than 65535 and out of bound access will happen:
> # nft add element t s { 1 comment test }
>
> Since set->klen is 1 or 2, it's fine to treate the element key as a u8 or
> u16 integer.
Applied this one, thanks Liping.
I just sent a couple of a patch to fix element comments with bitmaps,
this is also implicitly fixing the leak that you aimed to fix with 2/2.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
