Re: [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jan 11, 2024 at 11:25:27PM +0100, Pablo Neira Ayuso wrote:
> Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
> bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
> the array boundary.
> 
> Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
>  src/set.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/src/set.c b/src/set.c
> index 719e59616e97..b51ff9e0ba64 100644
> --- a/src/set.c
> +++ b/src/set.c
> @@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
>  		memcpy(&s->desc.size, data, sizeof(s->desc.size));
>  		break;
>  	case NFTNL_SET_DESC_CONCAT:
> +		if (data_len > sizeof(s->desc.field_len))
> +			return -1;
> +
>  		memcpy(&s->desc.field_len, data, data_len);
> -		while (s->desc.field_len[++s->desc.field_count]);
> +		while (s->desc.field_len[++s->desc.field_count]) {
> +			if (s->desc.field_count >= NFT_REG32_COUNT)
> +				break;
> +		}

Isn't the second check redundant if you adjust the first one like so:

| if (data_len >= sizeof(s->desc.field_len))

Or more explicit:

| if (data_len > sizeof(s->desc.field_len) -
|                sizeof(s->desc.field_len[0]))

Cheers, Phil
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux