set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT

Assuming max data_len of 16 * 4B and no zero bytes in 'data':
The while loop will increment field_count, use it as index for the
field_len array and afterwards make sure it hasn't increased to
NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass
the check, get incremented to 16 and used as index to the 16 fields long
array.
Use a less fancy for-loop to avoid the increment vs. check problem.

Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/set.c b/src/set.c
index d2f6a944c68412df13ad38efaa275e6977139c89..a0208441f31ecda9811e172d58616f18a76cb8fa 100644 (file)
--- a/src/set.c
+++ b/src/set.c
@@ -185,8 +185,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
                        return -1;
 
                memcpy(&s->desc.field_len, data, data_len);
-               while (s->desc.field_len[++s->desc.field_count]) {
-                       if (s->desc.field_count >= NFT_REG32_COUNT)
+               for (s->desc.field_count = 0;
+                    s->desc.field_count < NFT_REG32_COUNT;
+                    s->desc.field_count++) {
+                       if (!s->desc.field_len[s->desc.field_count])
                                break;
                }
                break;