From 00b144bc9d093dbdd1a3690dc8e8fb90b5447f2d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 4 Oct 2019 21:44:14 +0200
Subject: obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data()

Array 'tb' has only 'attr_max' elements, the loop overstepped its
boundary by one. Copy array_size() macro from include/utils.h in
nftables.git to make sure code does the right thing.

Fixes: 0adceeab1597a ("src: add ct timeout support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/utils.h      | 8 ++++++++
 src/obj/ct_timeout.c | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/include/utils.h b/include/utils.h
index 3cc6596..91fbebb 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -58,6 +58,14 @@ void __nftnl_assert_attr_exists(uint16_t attr, uint16_t attr_max,
 		ret = remain;				\
 	remain -= ret;					\
 
+
+#define BUILD_BUG_ON_ZERO(e)	(sizeof(char[1 - 2 * !!(e)]) - 1)
+
+#define __must_be_array(a) \
+	BUILD_BUG_ON_ZERO(__builtin_types_compatible_p(typeof(a), typeof(&a[0])))
+
+#define array_size(arr)		(sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
+
 const char *nftnl_family2str(uint32_t family);
 int nftnl_str2family(const char *family);
 
diff --git a/src/obj/ct_timeout.c b/src/obj/ct_timeout.c
index a439432..a09e25a 100644
--- a/src/obj/ct_timeout.c
+++ b/src/obj/ct_timeout.c
@@ -134,7 +134,7 @@ timeout_parse_attr_data(struct nftnl_obj *e,
 	if (mnl_attr_parse_nested(nest, parse_timeout_attr_policy_cb, &cnt) < 0)
 		return -1;
 
-	for (i = 1; i <= attr_max; i++) {
+	for (i = 1; i < array_size(tb); i++) {
 		if (tb[i]) {
 			nftnl_timeout_policy_attr_set_u32(e, i-1,
 				ntohl(mnl_attr_get_u32(tb[i])));
-- 
cgit v1.2.3