git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 24 Jun 2025 21:01:13 +0000 (23:01 +0200)
committer	Florian Westphal <fw@strlen.de>
	Wed, 25 Jun 2025 22:10:06 +0000 (00:10 +0200)
commit	ca0c49d1bdb944534851c3dcb4c8ce16f1675074
tree	f2652ba1360a9fc5bf559d6c9871f58b0467a7b2	tree
parent	bed99830c4c63eae205c28a7ff914737bedb199d	commit \| diff

evaluate: make sure chain jump name comes with a null byte

There is a stack oob read access in netlink_gen_chain():

mpz_export_data(chain, expr->chain->value,
BYTEORDER_HOST_ENDIAN, len);
snprintf(data->chain, NFT_CHAIN_MAXNAMELEN, "%s", chain);

There is no guarantee that chain[] is null terminated, so snprintf
can read past chain[] array.  ASAN report is:

AddressSanitizer: stack-buffer-overflow on address 0x7ffff5f00520 at ..
READ of size 257 at 0x7ffff5f00520 thread T0
    #0 0x00000032ffb6 in printf_common(void*, char const*, __va_list_tag*) (src/nft+0x32ffb6)
    #1 0x00000033055d in vsnprintf (src/nft+0x33055d)
    #2 0x000000332071 in snprintf (src/nft+0x332071)
    #3 0x0000004eef03 in netlink_gen_chain src/netlink.c:454:2
    #4 0x0000004eef03 in netlink_gen_verdict src/netlink.c:467:4

Reject chain jumps that exceed 255 characters, which matches the netlink
policy on the kernel side.

The included reproducer fails without asan too because the kernel will
reject the too-long chain name. But that happens after the asan detected
bogus read.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/evaluate.c		diff \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/asan_out_of_bounds_read_with_long_chain	[new file with mode: 0644]	blob