git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 17 Apr 2025 19:40:23 +0000 (21:40 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 21 Apr 2025 21:52:27 +0000 (23:52 +0200)
commit	2fbade3cd9900fe7f87ac660b6ac44544e238206
tree	79361f80534444d89b3b0ee4457708272fd1ed7e	tree
parent	2c41c82296c70203f4781fb976ee0f05629fba44	commit \| diff

netlink: bogus concatenated set ranges with netlink message overrun

When building each component of the set element key, a late byteorder
switch is performed to ensure that all components in the interval are
represented in big endian, as required by the pipapo backend.

In case that the set element does not fit into the netlink message, the
byteorder switch happens twice, leading to inserting an element with a
bogus component with large sets, so instead:

"lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890"

listing reports:

16777216 . 00:11:22:33:44:55 . 10.1.2.3 comment "123456789012345678901234567890"

Note that 16777216 is 0x1000000, which should instead be 0x00000001 to
represent "lo" as u32.

Fix this by switching the value in a temporary variable and use it to
set the set element key attribute in the netlink message.

Later, revisit this to perform this byteorder switch from evaluation
step.

Add tests/shell unit to cover for this bug.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1792
Fixes: 8ac2f3b2fca3 ("src: Add support for concatenated set ranges")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/netlink.c		diff \| blob \| blame \| history
tests/shell/testcases/sets/concat_nlmsg_overrun	[new file with mode: 0755]	blob
tests/shell/testcases/sets/dumps/concat_nlmsg_overrun.nft	[new file with mode: 0644]	blob