Otherwise too long string overruns the log prefix buffer. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1714 Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/evaluate.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/evaluate.c b/src/evaluate.c index b7ae9113b5a8..2196e92813d0 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4175,8 +4175,13 @@ static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct stmt *stmt) size_t offset = 0; struct expr *expr; - if (stmt->log.prefix->etype != EXPR_LIST) + if (stmt->log.prefix->etype != EXPR_LIST) { + if (stmt->log.prefix && + div_round_up(stmt->log.prefix->len, BITS_PER_BYTE) >= NF_LOG_PREFIXLEN) + return expr_error(ctx->msgs, stmt->log.prefix, "log prefix is too long"); + return 0; + } prefix[0] = '\0'; -- 2.30.2
