On Thu, Aug 31, 2023 at 10:37 AM Florian Westphal <fw@xxxxxxxxx> wrote: > > Wander Lairson Costa <wander@xxxxxxxxxx> wrote: > > > > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c > > index 8f1bfa6ccc2d..13fedf2aaa0f 100644 > > --- a/net/netfilter/nfnetlink_osf.c > > +++ b/net/netfilter/nfnetlink_osf.c > > @@ -315,6 +315,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, > > > > f = nla_data(osf_attrs[OSF_ATTR_FINGER]); > > > > + if (f->opt_num > ARRAY_SIZE(f->opt)) > > + return -EINVAL; > > + > > Hmm, this isn't enough; as far as I can see there is no validation > whatsoever. > I didn't get it. It guarantees there is no OOB read of the opt array. > This should also check that all of: > > char genre[MAXGENRELEN]; > char version[MAXGENRELEN]; > char subtype[MAXGENRELEN]; > > ... have a NUL byte. You could use strnlen() == ARRAY_SIZE() -> EINVAL > for those. > I think the correct way would be memchr(genre/version/subtype, 0, MAXGENRELEN). > Maybe there is more to be validated. I did not followup with all the > nested structures buried in user_finger struct. > I focused on the reported issue mainly because I am unfamiliar with the Netfilter layer. Let me take a deeper look.
