On Thu, Oct 17, 2019 at 12:58:18AM +0200, Phil Sutter wrote:
> This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout:
> Avoid array overrun in timeout_parse_attr_data()") which fixed array out
> of bounds access but missed the logic behind it:
>
> The nested attribute type values are incremented by one when being
> transferred between kernel and userspace, the zero type value is
> reserved for "unspecified".
>
> Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the
> type values in nftnl_obj_ct_timeout_build().
>
> Return path was broken as it overstepped its nlattr array but apart from
> that worked: Type values were decremented by one in
> timeout_parse_attr_data().
>
> This patch moves the type value mangling into
> parse_timeout_attr_policy_cb() (which still overstepped nlattr array).
> Consequently, when copying values from nlattr array into ct timeout
> object in timeout_parse_attr_data(), loop is adjusted to start at index
> 0 and the type value decrement is dropped there.
>
> Fixes: 0adceeab1597a ("src: add ct timeout support")
> Signed-off-by: Phil Sutter <phil@xxxxxx>
Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
