Wander Lairson Costa <wander@xxxxxxxxxx> wrote: > On Thu, Aug 31, 2023 at 10:37 AM Florian Westphal <fw@xxxxxxxxx> wrote: > > > > Wander Lairson Costa <wander@xxxxxxxxxx> wrote: > > > > > > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c > > > index 8f1bfa6ccc2d..13fedf2aaa0f 100644 > > > --- a/net/netfilter/nfnetlink_osf.c > > > +++ b/net/netfilter/nfnetlink_osf.c > > > @@ -315,6 +315,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb, > > > > > > f = nla_data(osf_attrs[OSF_ATTR_FINGER]); > > > > > > + if (f->opt_num > ARRAY_SIZE(f->opt)) > > > + return -EINVAL; > > > + > > > > Hmm, this isn't enough; as far as I can see there is no validation > > whatsoever. > > > > I didn't get it. It guarantees there is no OOB read of the opt array. Sorry. This is enough to validate opt_num. But other members need validation too. > > This should also check that all of: > > > > char genre[MAXGENRELEN]; > > char version[MAXGENRELEN]; > > char subtype[MAXGENRELEN]; > > > > ... have a NUL byte. You could use strnlen() == ARRAY_SIZE() -> EINVAL > > for those. > > > > I think the correct way would be memchr(genre/version/subtype, 0, MAXGENRELEN). I don't really care how it looks like, just that its clear that it is supposed to catch and reject non-null terminated c strings :-) > > Maybe there is more to be validated. I did not followup with all the > > > > I focused on the reported issue mainly because I am unfamiliar with > the Netfilter layer. Let me take a deeper look. I don't think there is anyone really familiar with OSF infra, it was added quite a while back.