git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 17 Apr 2025 19:40:23 +0000 (21:40 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 18 Jun 2025 22:01:13 +0000 (00:01 +0200)
commit	d81f5fe95b88c69bf23fa247dee4e22bc3c91320
tree	536e56b2f646da1d2f64437a08af797ab4e8365e	tree \| snapshot
parent	73fe1f4ae4e8925e39922ecdaef7a024ee31254b	commit \| diff

netlink: bogus concatenated set ranges with netlink message overrun

commit 2fbade3cd9900fe7f87ac660b6ac44544e238206 upstream.

When building each component of the set element key, a late byteorder
switch is performed to ensure that all components in the interval are
represented in big endian, as required by the pipapo backend.

In case that the set element does not fit into the netlink message, the
byteorder switch happens twice, leading to inserting an element with a
bogus component with large sets, so instead:

"lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890"

listing reports:

16777216 . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890"

Note that 16777216 is 0x1000000, which should instead be 0x00000001 to
represent "lo" as u32.

Fix this by switching the value in a temporary variable and use it to
set the set element key attribute in the netlink message.

Later, revisit this to perform this byteorder switch from evaluation
step.

Add tests/shell unit to cover for this bug.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1792
Fixes: 8ac2f3b2fca3 ("src: Add support for concatenated set ranges")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/netlink.c		diff \| blob \| blame \| history
tests/shell/testcases/sets/concat_nlmsg_overrun	[new file with mode: 0755]	blob
tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft	[new file with mode: 0644]	blob