Use strlen(), otherwise mpz_import_data() reads too much beyond the real
chain string. Valgrind reports the following error:
==2759== Invalid read of size 1
==2759== at 0x67D68D6: __gmpz_import (in /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.2)
==2759== by 0x4E79467: mpz_import_data (gmputil.c:133)
==2759== by 0x4E60A12: constant_expr_alloc (expression.c:375)
==2759== by 0x4E8ED65: nft_parse (parser_bison.y:3825)
==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357)
==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424)
==2759== by 0x1095D4: main (in /tmp/a.out)
==2759== Address 0x6ee1b4a is 0 bytes after a block of size 10 alloc'd
==2759== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2759== by 0x59FD3B9: strdup (strdup.c:42)
==2759== by 0x4E7963D: xstrdup (utils.c:75)
==2759== by 0x4E9C233: nft_lex (scanner.l:626)
==2759== by 0x4E8E382: nft_parse (parser_bison.c:5297)
==2759== by 0x4E7E850: nft_parse_bison_buffer (libnftables.c:357)
==2759== by 0x4E7E850: nft_run_cmd_from_buffer (libnftables.c:424)
Fixes: f1e8a129ee42 ("src: Introduce chain_expr in jump and goto statements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
case NFT_GOTO:
chain = constant_expr_alloc(loc, &string_type,
BYTEORDER_HOST_ENDIAN,
- NFT_CHAIN_MAXNAMELEN *
- BITS_PER_BYTE, nld->chain);
+ strlen(nld->chain) * BITS_PER_BYTE,
+ nld->chain);
break;
default:
chain = NULL;
{
$$ = constant_expr_alloc(&@$, &string_type,
BYTEORDER_HOST_ENDIAN,
- NFT_CHAIN_MAXNAMELEN *
- BITS_PER_BYTE, $1);
+ strlen($1) * BITS_PER_BYTE,
+ $1);
}
;
projects / thirdparty / nftables.git / commitdiff
