expr: fix buffer overflows in data value setters

The data value setters memcpy() to a fixed-size buffer, but its very easy
to make nft pass too-larger values.  Example:
  @th,160,1272 gt 0

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..]

Truncate the copy instead of corrupting the heap.
This needs additional fixes on nft side to reject such statements with a
proper error message.

Signed-off-by: Florian Westphal <fw@strlen.de>

1 files changed, 3 insertions, 9 deletions

diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c
index 2d27233..e5dba82 100644
--- a/src/expr/bitwise.c
+++ b/src/expr/bitwise.c
@@ -51,17 +51,11 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type,
 		memcpy(&bitwise->len, data, sizeof(bitwise->len));
 		break;
 	case NFTNL_EXPR_BITWISE_MASK:
-		memcpy(&bitwise->mask.val, data, data_len);
-		bitwise->mask.len = data_len;
-		break;
+		return nftnl_data_cpy(&bitwise->mask, data, data_len);
 	case NFTNL_EXPR_BITWISE_XOR:
-		memcpy(&bitwise->xor.val, data, data_len);
-		bitwise->xor.len = data_len;
-		break;
+		return nftnl_data_cpy(&bitwise->xor, data, data_len);
 	case NFTNL_EXPR_BITWISE_DATA:
-		memcpy(&bitwise->data.val, data, data_len);
-		bitwise->data.len = data_len;
-		break;
+		return nftnl_data_cpy(&bitwise->data, data, data_len);
 	default:
 		return -1;
 	}