Re: [libnftnl PATCH 1/3] set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 04, 2024 at 03:30:56PM +0100, Pablo Neira Ayuso wrote:
> Hi Phil,
> 
> On Wed, Nov 27, 2024 at 07:01:01PM +0100, Phil Sutter wrote:
> > Assuming max data_len of 16 * 4B and no zero bytes in 'data':
> > The while loop will increment field_count, use it as index for the
> > field_len array and afterwards make sure it hasn't increased to
> > NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass
> > the check, get incremented to 16 and used as index to the 16 fields long
> > array.
> > Use a less fancy for-loop to avoid the increment vs. check problem.
> 
> for-loop is indeed better.
> 
> Patch LGTM, thanks.
> 
> > Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter")
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> 
> Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

Series applied, thanks!




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux