]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d477ead)
json: reject too long interface names
authorFlorian Westphal <fw@strlen.de>
Tue, 24 Jun 2025 21:46:59 +0000 (23:46 +0200)
committerFlorian Westphal <fw@strlen.de>
Wed, 25 Jun 2025 22:09:53 +0000 (00:09 +0200)
Blamed commit added a length check on ifnames to the bison parser.
Unfortunately that wasn't enough, json parser has the same issue.

Bogon results in:
BUG: Interface length 44 exceeds limit
nft: src/mnl.c:742: nft_dev_add: Assertion `0' failed.

After patch, included bogon results in:
Error: Invalid device at index 0. name d2345678999999999999999999999999999999012345 too long

I intentionally did not extend evaluate.c to catch this, past sentiment
was that frontends should not send garbage.

I'll send a followup patch to also catch this from eval stage in case there
are further reports for frontends passing in such long names.

Fixes: fa52bc225806 ("parser: reject zero-length interface names")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/parser_json.c patch | blob | blame | history
tests/shell/testcases/bogons/nft-j-f/dev_name_parser_overflow_crash [new file with mode: 0644] patch | blob

diff --git a/src/parser_json.c b/src/parser_json.c
index e3dd14cda3504a72b59f6b44529236d6bbf47858..3195d529cbbcf9b54b4ff50734e3fbbf76bb2eb0 100644 (file)
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -2951,7 +2951,13 @@ static struct expr *json_parse_devs(struct json_ctx *ctx, json_t *root)
        size_t index;
 
        if (!json_unpack(root, "s", &dev)) {
-               tmp = constant_expr_alloc(int_loc, &string_type,
+               if (strlen(dev) >= IFNAMSIZ) {
+                       json_error(ctx, "Device name %s too long", dev);
+                       expr_free(expr);
+                       return NULL;
+               }
+
+               tmp = constant_expr_alloc(int_loc, &ifname_type,
                                          BYTEORDER_HOST_ENDIAN,
                                          strlen(dev) * BITS_PER_BYTE, dev);
                compound_expr_add(expr, tmp);
@@ -2969,7 +2975,14 @@ static struct expr *json_parse_devs(struct json_ctx *ctx, json_t *root)
                        expr_free(expr);
                        return NULL;
                }
-               tmp = constant_expr_alloc(int_loc, &string_type,
+
+               if (strlen(dev) >= IFNAMSIZ) {
+                       json_error(ctx, "Device name %s too long at index %zu", dev, index);
+                       expr_free(expr);
+                       return NULL;
+               }
+
+               tmp = constant_expr_alloc(int_loc, &ifname_type,
                                          BYTEORDER_HOST_ENDIAN,
                                          strlen(dev) * BITS_PER_BYTE, dev);
                compound_expr_add(expr, tmp);
diff --git a/tests/shell/testcases/bogons/nft-j-f/dev_name_parser_overflow_crash b/tests/shell/testcases/bogons/nft-j-f/dev_name_parser_overflow_crash
new file mode 100644 (file)
index 0000000..8303c5c
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-j-f/dev_name_parser_overflow_crash
@@ -0,0 +1,90 @@
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "VERSION",
+        "release_name": "RELEASE_NAME",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "netdev",
+        "name": "filter1",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "netdev",
+        "table": "filter1",
+        "name": "Main_Ingress1",
+        "handle": 0,
+        "dev": "lo",
+        "type": "filter",
+        "hook": "ingress",
+        "prio": -500,
+        "policy": "accept"
+      }
+    },
+    {
+      "table": {
+        "family": "netdev",
+        "name": "filter2",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "netdev",
+        "table": "filter2",
+        "name": "Main_Ingress2",
+        "handle": 0,
+        "dev": [
+          "d2345678999999999999999999999999999999012345",
+          "lo"
+        ],
+        "type": "filter",
+        "hook": "ingress",
+        "prio": -500,
+        "policy": "accept"
+      }
+    },
+    {
+      "table": {
+        "family": "netdev",
+        "name": "filter3",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "netdev",
+        "table": "filter3",
+        "name": "Main_Ingress3",
+        "handle": 0,
+        "dev": [
+          "d23456789012345",
+          "lo"
+        ],
+        "type": "filter",
+        "hook": "ingress",
+        "prio": -500,
+        "policy": "accept"
+      }
+    },
+    {
+      "chain": {
+        "family": "netdev",
+        "table": "filter3",
+        "name": "Main_Egress3",
+        "handle": 0,
+        "dev": "lo",
+        "type": "filter",
+        "hook": "egress",
+        "prio": -500,
+        "policy": "accept"
+      }
+    }
+  ]
+}
Mirror of git://git.netfilter.org/nftables