Re: [PATCH libnftnl] set: buffer overflow in NFTNL_SET_DESC_CONCAT setter

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Fri, 12 Jan 2024 13:07:36 +0100

On Fri, Jan 12, 2024 at 12:41:47PM +0100, Phil Sutter wrote:
> On Thu, Jan 11, 2024 at 11:25:27PM +0100, Pablo Neira Ayuso wrote:
> > Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
> > bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
> > the array boundary.
> > 
> > Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
> >  src/set.c | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/set.c b/src/set.c
> > index 719e59616e97..b51ff9e0ba64 100644
> > --- a/src/set.c
> > +++ b/src/set.c
> > @@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
> >  		memcpy(&s->desc.size, data, sizeof(s->desc.size));
> >  		break;
> >  	case NFTNL_SET_DESC_CONCAT:
> > +		if (data_len > sizeof(s->desc.field_len))
> > +			return -1;
> > +
> >  		memcpy(&s->desc.field_len, data, data_len);
> > -		while (s->desc.field_len[++s->desc.field_count]);
> > +		while (s->desc.field_len[++s->desc.field_count]) {
> > +			if (s->desc.field_count >= NFT_REG32_COUNT)
> > +				break;
> > +		}
> 
> Isn't the second check redundant if you adjust the first one like so:
> 
> | if (data_len >= sizeof(s->desc.field_len))
>
> Or more explicit:
> 
> | if (data_len > sizeof(s->desc.field_len) -
> |                sizeof(s->desc.field_len[0]))

I see, you suggest to ensure last item in the array is always zero.