git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 5 May 2020 17:21:56 +0000 (19:21 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 5 May 2020 17:23:58 +0000 (19:23 +0200)
commit	eea03c8fb560a8a6deede1bccbce78b52b2c2905
tree	f9d594e7e6c7f9fe044e153e47d615da9e49e1a1	tree \| snapshot
parent	506fb113f7ca4fbb3d6da09ef6f9dc2b31f54a1f	commit \| diff

src: add rule_stmt_insert_at() and use it

This helper function adds a statement at a given position and it updates
the rule statement counter.

This patch fixes this:

flush table bridge test-bridge
add rule bridge test-bridge input vlan id 1 ip saddr 10.0.0.1
rule.c:2870:5: runtime error: index 2 out of bounds for type 'stmt *[*]'
=================================================================
==1043==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdd69c1350 at pc 0x7f1036f53330 bp 0x7ffdd69c1300 sp 0x7ffdd69c12f8
WRITE of size 8 at 0x7ffdd69c1350 thread T0
    #0 0x7f1036f5332f in payload_try_merge /home/mbr/nftables/src/rule.c:2870
    #1 0x7f1036f534b7 in rule_postprocess /home/mbr/nftables/src/rule.c:2885
    #2 0x7f1036fb2785 in rule_evaluate /home/mbr/nftables/src/evaluate.c:3744
    #3 0x7f1036fb627b in cmd_evaluate_add /home/mbr/nftables/src/evaluate.c:3982
    #4 0x7f1036fbb9e9 in cmd_evaluate /home/mbr/nftables/src/evaluate.c:4462
    #5 0x7f10370652d2 in nft_evaluate /home/mbr/nftables/src/libnftables.c:414
    #6 0x7f1037065ba1 in nft_run_cmd_from_buffer /home/mbr/nftables/src/libnftables.c:447

Reported-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/rule.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/rule.c		diff \| blob \| blame \| history