From bc2afbde9eae491bcef23ef5b24b25c7605ad911 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 12 Dec 2023 15:01:17 +0100
Subject: expr: fix buffer overflows in data value setters

The data value setters memcpy() to a fixed-size buffer, but its very easy
to make nft pass too-larger values.  Example:
  @th,160,1272 gt 0

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..]

Truncate the copy instead of corrupting the heap.
This needs additional fixes on nft side to reject such statements with a
proper error message.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/expr/range.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'src/expr/range.c')

diff --git a/src/expr/range.c b/src/expr/range.c
index 473add8..5a30e48 100644
--- a/src/expr/range.c
+++ b/src/expr/range.c
@@ -40,13 +40,9 @@ static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type,
 		memcpy(&range->op, data, sizeof(range->op));
 		break;
 	case NFTNL_EXPR_RANGE_FROM_DATA:
-		memcpy(&range->data_from.val, data, data_len);
-		range->data_from.len = data_len;
-		break;
+		return nftnl_data_cpy(&range->data_from, data, data_len);
 	case NFTNL_EXPR_RANGE_TO_DATA:
-		memcpy(&range->data_to.val, data, data_len);
-		range->data_to.len = data_len;
-		break;
+		return nftnl_data_cpy(&range->data_to, data, data_len);
 	default:
 		return -1;
 	}
-- 
cgit v1.2.3