]> git.ipfire.org Git - thirdparty/libnftnl.git/commitdiff
projects / thirdparty / libnftnl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2f4f8f6)
set: buffer overflow in NFTNL_SET_DESC_CONCAT setter
authorPablo Neira Ayuso <pablo@netfilter.org>
Thu, 11 Jan 2024 00:13:37 +0000 (01:13 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 11 Jan 2024 22:22:54 +0000 (23:22 +0100)
Allow to set a maximum limit of sizeof(s->desc.field_len) which is 16
bytes, otherwise, bail out. Ensure s->desc.field_count does not go over
the array boundary.

Fixes: 7cd41b5387ac ("set: Add support for NFTA_SET_DESC_CONCAT attributes")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/set.c patch | blob | blame | history

diff --git a/src/set.c b/src/set.c
index 719e59616e9747adc58be648e9771413c703cfe2..b51ff9e0ba64d87e4b7a49db7a26593625a77736 100644 (file)
--- a/src/set.c
+++ b/src/set.c
@@ -194,8 +194,14 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
                memcpy(&s->desc.size, data, sizeof(s->desc.size));
                break;
        case NFTNL_SET_DESC_CONCAT:
+               if (data_len > sizeof(s->desc.field_len))
+                       return -1;
+
                memcpy(&s->desc.field_len, data, data_len);
-               while (s->desc.field_len[++s->desc.field_count]);
+               while (s->desc.field_len[++s->desc.field_count]) {
+                       if (s->desc.field_count >= NFT_REG32_COUNT)
+                               break;
+               }
                break;
        case NFTNL_SET_TIMEOUT:
                memcpy(&s->timeout, data, sizeof(s->timeout));
Mirror of https://git.netfilter.org/libnftnl