From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 26 Feb 2024 16:31:19 +0000 (+0100)
Subject: udata: incorrect userdata buffer size validation
X-Git-Tag: libnftnl-1.2.7~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4bcdfa6200ef1945a8f936a4474b59666c8dcca;p=thirdparty%2Flibnftnl.git

udata: incorrect userdata buffer size validation

Use the current remaining space in the buffer to ensure more userdata
attributes still fit in, buf->size is the total size of the userdata
buffer.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/udata.c b/src/udata.c
index 0cc3520c..e9bfc35e 100644
--- a/src/udata.c
+++ b/src/udata.c
@@ -42,6 +42,11 @@ uint32_t nftnl_udata_buf_len(const struct nftnl_udata_buf *buf)
 	return (uint32_t)(buf->end - buf->data);
 }
 
+static uint32_t nftnl_udata_buf_space(const struct nftnl_udata_buf *buf)
+{
+	return buf->size - nftnl_udata_buf_len(buf);
+}
+
 EXPORT_SYMBOL(nftnl_udata_buf_data);
 void *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf)
 {
@@ -74,7 +79,8 @@ bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len,
 {
 	struct nftnl_udata *attr;
 
-	if (len > UINT8_MAX || buf->size < len + sizeof(struct nftnl_udata))
+	if (len > UINT8_MAX ||
+	    nftnl_udata_buf_space(buf) < len + sizeof(struct nftnl_udata))
 		return false;
 
 	attr = (struct nftnl_udata *)buf->end;