udata: incorrect userdata buffer size validation

Use the current remaining space in the buffer to ensure more userdata attributes still fit in, buf->size is the total size of the userdata buffer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2024-02-26 17:31:19 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2024-02-26 18:10:15 +0100
commit: a4bcdfa6200ef1945a8f936a4474b59666c8dcca (patch)
tree: 4a5812aa3895a17a70273b0526caa896ce82ee54 /src
parent: f15f1e3feb130f131d6f03d4081b569f81b94fce (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/udata.c b/src/udata.c
index 0cc3520..e9bfc35 100644
--- a/src/udata.c
+++ b/src/udata.c
@@ -42,6 +42,11 @@ uint32_t nftnl_udata_buf_len(const struct nftnl_udata_buf *buf)
 	return (uint32_t)(buf->end - buf->data);
 }
 
+static uint32_t nftnl_udata_buf_space(const struct nftnl_udata_buf *buf)
+{
+	return buf->size - nftnl_udata_buf_len(buf);
+}
+
 EXPORT_SYMBOL(nftnl_udata_buf_data);
 void *nftnl_udata_buf_data(const struct nftnl_udata_buf *buf)
 {
@@ -74,7 +79,8 @@ bool nftnl_udata_put(struct nftnl_udata_buf *buf, uint8_t type, uint32_t len,
 {
 	struct nftnl_udata *attr;
 
-	if (len > UINT8_MAX || buf->size < len + sizeof(struct nftnl_udata))
+	if (len > UINT8_MAX ||
+	    nftnl_udata_buf_space(buf) < len + sizeof(struct nftnl_udata))
 		return false;
 
 	attr = (struct nftnl_udata *)buf->end;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2024-02-26 17:31:19 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2024-02-26 18:10:15 +0100
commit	a4bcdfa6200ef1945a8f936a4474b59666c8dcca (patch)
tree	4a5812aa3895a17a70273b0526caa896ce82ee54 /src
parent	f15f1e3feb130f131d6f03d4081b569f81b94fce (diff)