From: Florian Westphal Date: Mon, 15 Jan 2024 13:11:17 +0000 (+0100) Subject: evaluate: error out when store needs more than one 128bit register of align fixup X-Git-Tag: v1.1.0~121 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a66de2a15943b2fbf960967cdbcbd0a148cb114;p=thirdparty%2Fnftables.git evaluate: error out when store needs more than one 128bit register of align fixup Else this gives: nft: evaluate.c:2983: stmt_evaluate_payload: Assertion `sizeof(data) * BITS_PER_BYTE >= masklen' failed. For loads, this is already prevented via expr_evaluate_bits() which has: if (masklen > NFT_REG_SIZE * BITS_PER_BYTE) return expr_error(ctx->msgs, expr, "mask length %u exceeds allowed maximum of %u\n", masklen, NFT_REG_SIZE * BITS_PER_BYTE); But for the store path this isn't called. The reproducer asks to store a 128 bit integer at bit offset 1, i.e. 17 bytes would need to be munged, but we can only handle up to 16 bytes (one pseudo-register). Fixes: 78936d50f306 ("evaluate: add support to set IPv6 non-byte header fields") Signed-off-by: Florian Westphal --- diff --git a/src/evaluate.c b/src/evaluate.c index 3b366166..68cfd776 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3188,6 +3188,11 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt) payload_byte_size = div_round_up(payload->len + extra_len, BITS_PER_BYTE); + if (payload_byte_size > sizeof(data)) + return expr_error(ctx->msgs, stmt->payload.expr, + "uneven load cannot span more than %u bytes, got %u", + sizeof(data), payload_byte_size); + if (need_csum && payload_byte_size & 1) { payload_byte_size++; diff --git a/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store new file mode 100644 index 00000000..c1358df4 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/payload_expr_unaligned_store @@ -0,0 +1 @@ +add rule f i @th,1,128 set 1