git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 12 Dec 2023 18:13:14 +0000 (19:13 +0100)
committer	Florian Westphal <fw@strlen.de>
	Fri, 15 Dec 2023 01:27:14 +0000 (02:27 +0100)
commit	ef10d65db278d77208e960d210a1f4f532ebb552
tree	354f10077f748e440f15b205071610c7c1f273b3	tree
parent	8eeedce89d8bf0ad58da398782c2ca8a91d83a32	commit \| diff

src: reject large raw payload and concat expressions

The kernel will reject this too, but unfortunately nft may try
to cram the data into the underlying libnftnl expr.

This causes heap corruption or
BUG: nld buffer overflow: want to copy 132, max 64

After:

Error: Concatenation of size 544 exceeds maximum size of 512
udp length . @th,0,512 . @th,512,512 { 47-63 . 0xe373135363130 . 0x33131303735353203 }
^^^^^^^^^

resp. same warning for an over-sized raw expression.

Signed-off-by: Florian Westphal <fw@strlen.de>

include/expression.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/parser_bison.y		diff \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr	[new file with mode: 0644]	blob
tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr	[new file with mode: 0644]	blob