netlink: fix stack overflow due to erroneous rounding

author Florian Westphal <fw@strlen.de>

Wed, 20 Dec 2023 14:40:54 +0000 (15:40 +0100)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 22 Jan 2025 23:41:53 +0000 (00:41 +0100)
author Florian Westphal <fw@strlen.de>
Wed, 20 Dec 2023 14:40:54 +0000 (15:40 +0100)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 22 Jan 2025 23:41:53 +0000 (00:41 +0100)
diff --git a/src/netlink.c b/src/netlink.c

index 0b5030fb212143c9457e4608562fc90344861f86..f8367eb44a3ae25b921c5b52d0732e83298df897 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -254,6 +254,11 @@ static int netlink_export_pad(unsigned char *data, const mpz_t v,
         return netlink_padded_len(i->len) / BITS_PER_BYTE;
  }
  
+static void byteorder_switch_expr_value(mpz_t v, const struct expr *e)
+{
+       mpz_switch_byteorder(v, div_round_up(e->len, BITS_PER_BYTE));
+}
+
  static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
                                     unsigned char *data)
  {
@@ -268,7 +273,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
  
                 if (expr_basetype(expr)->type == TYPE_INTEGER &&
                     expr->byteorder == BYTEORDER_HOST_ENDIAN)
-                       mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
+                       byteorder_switch_expr_value(expr->value, expr);
  
                 i = expr;
                 break;
@@ -280,7 +285,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
                         mpz_init_bitmask(v, i->len - i->prefix_len);
  
                         if (i->byteorder == BYTEORDER_HOST_ENDIAN)
-                               mpz_switch_byteorder(v, i->len / BITS_PER_BYTE);
+                               byteorder_switch_expr_value(v, i);
  
                         mpz_add(v, i->prefix->value, v);
                         count = netlink_export_pad(data, v, i);
@@ -298,7 +303,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i,
                 expr = (struct expr *)i;
                 if (expr_basetype(expr)->type == TYPE_INTEGER &&
                     expr->byteorder == BYTEORDER_HOST_ENDIAN)
-                       mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
+                       byteorder_switch_expr_value(expr->value, expr);
                 break;
         default:
                 BUG("invalid expression type '%s' in set", expr_ops(i)->name);
diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow

new file mode 100644 (file)

index 0000000..0164052
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow
@@ -0,0 +1,6 @@
+table inet x {
+       chain nat_dns_acme {
+               udp length . @th,260,118 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, }
+               drop
+       }
+}
author	Florian Westphal <fw@strlen.de>
	Wed, 20 Dec 2023 14:40:54 +0000 (15:40 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 22 Jan 2025 23:41:53 +0000 (00:41 +0100)
src/netlink.c		patch \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow	[new file with mode: 0644]	patch \| blob