git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 14 Mar 2025 06:50:54 +0000 (07:50 +0100)
committer	Florian Westphal <fw@strlen.de>
	Tue, 18 Mar 2025 19:24:14 +0000 (20:24 +0100)
commit	37dfb1972cae061c09f278933af998a7c4fc2696
tree	b0467ba68f62219e701a0e58cf02ee6987e2ddfe	tree
parent	3b92dc32e60e8c24c783af8d90a0928d71d520f4	commit \| diff

netlink: fix stack buffer overrun when emitting ranged expressions

Included bogon input generates following Sanitizer splat:

AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7...
WRITE of size 2 at 0x7fffffffcbe4 thread T0
    #0 0x0000003a68b8 in __asan_memset (src/nft+0x3a68b8) (BuildId: 3678ff51a5405c77e3e0492b9a985910efee73b8)
    #1 0x0000004eb603 in __mpz_export_data src/gmputil.c:108:2
    #2 0x0000004eb603 in netlink_export_pad src/netlink.c:256:2
    #3 0x0000004eb603 in netlink_gen_range src/netlink.c:471:2
    #4 0x0000004ea250 in __netlink_gen_data src/netlink.c:523:10
    #5 0x0000004e8ee3 in alloc_nftnl_setelem src/netlink.c:205:3
    #6 0x0000004d4541 in mnl_nft_setelem_batch src/mnl.c:1816:11

Problem is that the range end is emitted to the buffer at the *padded*
location (rounded up to next register size), but buffer sizing is
based of the expression length, not the padded length.

Also extend the test script: Capture stderr and if we see
AddressSanitizer warning, make it fail.

Same bug as the one fixed in 600b84631410 ("netlink: fix stack buffer overflow with sub-reg sized prefixes"),
just in a different function.

Apply same fix: no dynamic array + add a range check.

Joint work with Pablo Neira Ayuso.

Signed-off-by: Florian Westphal <fw@strlen.de>

src/netlink.c		diff \| blob \| blame \| history
tests/shell/testcases/bogons/assert_failures		diff \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/asan_stack_buffer_overrun_in_netlink_gen_range	[new file with mode: 0644]	blob