[PATCH nft] netlink: fix stack overflow due to erroneous rounding

Florian Westphal <fw@xxxxxxxxx> · Wed, 20 Dec 2023 15:40:54 +0100

Byteorder switch in this function may undersize the conversion
buffer by one byte, this needs to use div_round_up().

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 src/netlink.c                                         | 11 ++++++++---
 .../bogons/nft-f/byteorder_switch_stack_overflow      |  6 ++++++
 2 files changed, 14 insertions(+), 3 deletions(-)
 create mode 100644 tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow

diff --git a/src/netlink.c b/src/netlink.c
index 32b189952aa3..3d685b575e64 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -254,6 +254,11 @@ static int netlink_export_pad(unsigned char *data, const mpz_t v,
 	return netlink_padded_len(i->len) / BITS_PER_BYTE;
 }
 
+static void byteorder_switch_expr_value(mpz_t v, const struct expr *e)
+{
+	mpz_switch_byteorder(v, div_round_up(e->len, BITS_PER_BYTE));
+}
+
 static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
 				    unsigned char *data)
 {
@@ -268,7 +273,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
 
 		if (expr_basetype(expr)->type == TYPE_INTEGER &&
 		    expr->byteorder == BYTEORDER_HOST_ENDIAN)
-			mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
+			byteorder_switch_expr_value(expr->value, expr);
 
 		i = expr;
 		break;
@@ -280,7 +285,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
 			mpz_init_bitmask(v, i->len - i->prefix_len);
 
 			if (i->byteorder == BYTEORDER_HOST_ENDIAN)
-				mpz_switch_byteorder(v, i->len / BITS_PER_BYTE);
+				byteorder_switch_expr_value(v, i);
 
 			mpz_add(v, i->prefix->value, v);
 			count = netlink_export_pad(data, v, i);
@@ -298,7 +303,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
 		expr = (struct expr *)i;
 		if (expr_basetype(expr)->type == TYPE_INTEGER &&
 		    expr->byteorder == BYTEORDER_HOST_ENDIAN)
-			mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
+			byteorder_switch_expr_value(expr->value, expr);
 		break;
 	default:
 		BUG("invalid expression type '%s' in set", expr_ops(i)->name);
diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow
new file mode 100644
index 000000000000..0164052877b7
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow
@@ -0,0 +1,6 @@
+table inet x {
+	chain nat_dns_acme {
+		udp length . @th,260,118 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, }
+		drop
+	}
+}
-- 
2.41.0








