From: Phil Sutter <phil@nwl.cc>
Date: Fri, 15 Dec 2023 15:32:30 +0000 (+0100)
Subject: expr: Enforce attr_policy compliance in nftnl_expr_set()
X-Git-Tag: libnftnl-1.2.7~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62db596bf1f3dabffac3e0b9b0c3db487bfff828;p=thirdparty%2Flibnftnl.git

expr: Enforce attr_policy compliance in nftnl_expr_set()

Every expression type defines an attr_policy array, so deny setting
attributes if not present. Also deny if maxlen field is non-zero and
lower than the given data_len.

Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO )
or is not sensible to check (e.g.  NFTNL_EXPR_DYNSET_EXPR). The zero
maxlen "nop" is also used for deprecated attributes, just to not
silently ignore them.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/src/expr.c b/src/expr.c
index 74d211bc..4e32189c 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -74,6 +74,13 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type,
 		if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr)
 			return -1;
 
+		if (!expr->ops->attr_policy)
+			return -1;
+
+		if (expr->ops->attr_policy[type].maxlen &&
+		    expr->ops->attr_policy[type].maxlen < data_len)
+			return -1;
+
 		if (expr->ops->set(expr, type, data, data_len) < 0)
 			return -1;
 	}