conntrack: Fix buffer overflow on invalid icmp type in setters

When type is out of range for the invmap_icmp{,v6} array we leave rtype at zero which will map to type=255 just like other error cases in this function. Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Daniel Gröber <dxld@darkboxed.org> 2020-06-24 15:30:02 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-07-01 12:56:27 +0200
commit: aeabb1640ffb5643729ca2ce343738cd85b65f3f (patch)
tree: 9849264e74e7f459cfc953c87627337fb7855b0c /src/conntrack/grp_setter.c
parent: 45d804ab63f034e3e9f525806f36eda5245aefa7 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/src/conntrack/grp_setter.c b/src/conntrack/grp_setter.c
index fccf578..4f0125b 100644
--- a/src/conntrack/grp_setter.c
+++ b/src/conntrack/grp_setter.c
@@ -85,18 +85,20 @@ static void set_attr_grp_repl_port(struct nf_conntrack *ct, const void *value)
 
 static void set_attr_grp_icmp(struct nf_conntrack *ct, const void *value)
 {
-	uint8_t rtype;
 	const struct nfct_attr_grp_icmp *this = value;
+	uint8_t rtype = 0;
 
 	ct->head.orig.l4dst.icmp.type = this->type;
 
 	switch(ct->head.orig.l3protonum) {
 		case AF_INET:
-			rtype = invmap_icmp[this->type];
+			if (this->type < ARRAY_SIZE(invmap_icmp))
+				rtype = invmap_icmp[this->type];
 			break;
 
 		case AF_INET6:
-			rtype = invmap_icmpv6[this->type - 128];
+			if (this->type - 128 < ARRAY_SIZE(invmap_icmp))
+				rtype = invmap_icmpv6[this->type - 128];
 			break;
 
 		default:
author	Daniel Gröber <dxld@darkboxed.org>	2020-06-24 15:30:02 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-07-01 12:56:27 +0200
commit	aeabb1640ffb5643729ca2ce343738cd85b65f3f (patch)
tree	9849264e74e7f459cfc953c87627337fb7855b0c /src/conntrack/grp_setter.c
parent	45d804ab63f034e3e9f525806f36eda5245aefa7 (diff)