On Wed, Sep 27, 2023 at 09:47:15AM -0700, joao@xxxxxxxxxxxxxxxxxx wrote: > From: Joao Moreira <joao.moreira@xxxxxxxxx> > > Currently, in nft_flow_rule_create function, num_actions is a signed > integer. Yet, it is processed within a loop which increments its > value. To prevent an overflow from occurring, make it unsigned and > also check if it reaches 256 when being incremented. > > Accordingly to discussions around v2, 256 actions are more than enough > for the frontend actions. > > After checking with maintainers, it was mentioned that front-end will > cap the num_actions value and that it is not possible to reach such > condition for an overflow. Yet, for correctness, it is still better to > fix this. > > This issue was observed by the commit author while reviewing a write-up > regarding a CVE within the same subsystem [1]. > > 1 - https://nickgregory.me/post/2022/03/12/cve-2022-25636/ Yes, but this is not related to the netfilter subsystem itself, this harderning is good to have for the flow offload infrastructure in general. > Signed-off-by: Joao Moreira <joao.moreira@xxxxxxxxx> > --- > net/netfilter/nf_tables_offload.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c > index 12ab78fa5d84..9a86db1f0e07 100644 > --- a/net/netfilter/nf_tables_offload.c > +++ b/net/netfilter/nf_tables_offload.c > @@ -90,7 +90,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > { > struct nft_offload_ctx *ctx; > struct nft_flow_rule *flow; > - int num_actions = 0, err; > + unsigned int num_actions = 0; > + int err; reverse xmas tree. > struct nft_expr *expr; > > expr = nft_expr_first(rule); > @@ -99,6 +100,10 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > expr->ops->offload_action(expr)) > num_actions++; > > + /* 2^8 is enough for frontend actions, avoid overflow */ > + if (num_actions == 256) This cap is not specific of nf_tables, it should apply to all other subsystems. This is the wrong spot. Moreover, please, add a definition for this, no hardcoded values. > + return ERR_PTR(-ENOMEM); Better E2BIG or similar, otherwise this propagates to userspace as ENOMEM. > + > expr = nft_expr_next(expr); > } > > -- > 2.42.0 >
