The kernel will reject this too, but unfortunately nft will
try to cram the data into the underlying libnftnl expr.
This causes heap corruption. This should also needs an independent
fix in libnftnl.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/parser_bison.y | 7 +++++++
.../bogons/nft-f/stack_overflow_via_large_raw_expr | 5 +++++
2 files changed, 12 insertions(+)
create mode 100644 tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 85cc9b6b0a80..2796e4387e03 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -5641,6 +5641,13 @@ payload_expr : payload_raw_expr
payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM close_scope_at
{
+ if ($6 > NFT_REG32_COUNT * sizeof(uint32_t) * BITS_PER_BYTE) {
+ erec_queue(error(&@1, "raw payload length %u exceeds upper limit of %u",
+ $6, NFT_REG32_COUNT * sizeof(uint32_t) * BITS_PER_BYTE),
+ state->msgs);
+ YYERROR;
+ }
+
$$ = payload_expr_alloc(&@$, NULL, 0);
payload_init_raw($$, $2, $4, $6);
$$->byteorder = BYTEORDER_BIG_ENDIAN;
diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr
new file mode 100644
index 000000000000..66bd6bf87732
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr
@@ -0,0 +1,5 @@
+table t {
+ chain c {
+ @th,160,1272 gt 0
+ }
+}
--
2.41.0
