tunnel: check kernel does not provide too large geneve data

Make sure kernel does not provide geneve data larger than
NFTNL_TUNNEL_GENEVE_DATA_MAXLEN, which might overrun the buffer.

Fixes: 239fbdb8979d ("tunnel: add support to geneve options")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/obj/tunnel.c b/src/obj/tunnel.c
index ea9cb021741ddd4aded1efe08ee295dfbb7498d6..08adeb50b1072e457254a0d0169f65c8bd08b09b 100644 (file)
--- a/src/obj/tunnel.c
+++ b/src/obj/tunnel.c
@@ -596,6 +596,11 @@ nftnl_obj_tunnel_parse_geneve(struct nftnl_tunnel_opts *opts, struct nlattr *att
        if (tb[NFTA_TUNNEL_KEY_GENEVE_DATA]) {
                uint32_t len = mnl_attr_get_payload_len(tb[NFTA_TUNNEL_KEY_GENEVE_DATA]);
 
+               if (len > NFTNL_TUNNEL_GENEVE_DATA_MAXLEN) {
+                       free(opt);
+                       return -1;
+               }
+
                memcpy(opt->geneve.data,
                       mnl_attr_get_payload(tb[NFTA_TUNNEL_KEY_GENEVE_DATA]),
                       len);