diff options
author | Florian Westphal <fw@strlen.de> | 2023-12-12 15:01:17 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2023-12-12 16:11:15 +0100 |
commit | bc2afbde9eae491bcef23ef5b24b25c7605ad911 (patch) | |
tree | becc43a77fdf77975b5cfa3f61de8dea7cf4ee7c /src/expr/bitwise.c | |
parent | ff117f50d2f99c03a65b4952b1a6988a8adc700f (diff) |
expr: fix buffer overflows in data value setters
The data value setters memcpy() to a fixed-size buffer, but its very easy
to make nft pass too-larger values. Example:
@th,160,1272 gt 0
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..]
Truncate the copy instead of corrupting the heap.
This needs additional fixes on nft side to reject such statements with a
proper error message.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'src/expr/bitwise.c')
-rw-r--r-- | src/expr/bitwise.c | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/src/expr/bitwise.c b/src/expr/bitwise.c index 2d27233..e5dba82 100644 --- a/src/expr/bitwise.c +++ b/src/expr/bitwise.c @@ -51,17 +51,11 @@ nftnl_expr_bitwise_set(struct nftnl_expr *e, uint16_t type, memcpy(&bitwise->len, data, sizeof(bitwise->len)); break; case NFTNL_EXPR_BITWISE_MASK: - memcpy(&bitwise->mask.val, data, data_len); - bitwise->mask.len = data_len; - break; + return nftnl_data_cpy(&bitwise->mask, data, data_len); case NFTNL_EXPR_BITWISE_XOR: - memcpy(&bitwise->xor.val, data, data_len); - bitwise->xor.len = data_len; - break; + return nftnl_data_cpy(&bitwise->xor, data, data_len); case NFTNL_EXPR_BITWISE_DATA: - memcpy(&bitwise->data.val, data, data_len); - bitwise->data.len = data_len; - break; + return nftnl_data_cpy(&bitwise->data, data, data_len); default: return -1; } |