diff options
author | Phil Sutter <phil@nwl.cc> | 2019-10-16 23:22:53 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2019-10-17 12:51:53 +0200 |
commit | b51e999dcf0f87e125a81d8623b1a34c6407e624 (patch) | |
tree | f4a2a0a5a50173990f3f4ced58caf6c917f2361f /doxygen.cfg.in | |
parent | ede1781101f669312ae513a83932f0c727738df9 (diff) |
obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser
This is a necessary follow-up on commit 00b144bc9d093 ("obj/ct_timeout:
Avoid array overrun in timeout_parse_attr_data()") which fixed array out
of bounds access but missed the logic behind it:
The nested attribute type values are incremented by one when being
transferred between kernel and userspace, the zero type value is
reserved for "unspecified".
Kernel uses CTA_TIMEOUT_* symbols for that, libnftnl simply mangles the
type values in nftnl_obj_ct_timeout_build().
Return path was broken as it overstepped its nlattr array but apart from
that worked: Type values were decremented by one in
timeout_parse_attr_data().
This patch moves the type value mangling into
parse_timeout_attr_policy_cb() (which still overstepped nlattr array).
Consequently, when copying values from nlattr array into ct timeout
object in timeout_parse_attr_data(), loop is adjusted to start at index
0 and the type value decrement is dropped there.
Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doxygen.cfg.in')
0 files changed, 0 insertions, 0 deletions