From: Phil Sutter <phil@nwl.cc>
Date: Tue, 15 Oct 2019 13:58:13 +0000 (+0200)
Subject: mnl: Don't use nftnl_set_set()
X-Git-Tag: v0.9.3~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ef5429f87dee067c8a70ef9d5b477198c803fcc;p=thirdparty%2Fnftables.git

mnl: Don't use nftnl_set_set()

The function is unsafe to use as it effectively bypasses data length
checks. Instead use nftnl_set_set_str() which at least asserts a const
char pointer is passed.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/mnl.c b/src/mnl.c
index 14fa4a71..75ab07b0 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -945,7 +945,7 @@ mnl_nft_set_dump(struct netlink_ctx *ctx, int family, const char *table)
 	nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family,
 				    NLM_F_DUMP, ctx->seqnum);
 	if (table != NULL)
-		nftnl_set_set(s, NFTNL_SET_TABLE, table);
+		nftnl_set_set_str(s, NFTNL_SET_TABLE, table);
 	nftnl_set_nlmsg_build_payload(nlh, s);
 	nftnl_set_free(s);