diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-10-17 15:50:21 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-03 12:24:21 +0100 |
commit | fed47380c91ba99c38b2f9b3f12df5648147c39c (patch) | |
tree | d7737935147ff7735555c743caa6d3c7355102c0 | |
parent | fd74051bb75bfb5faa8f72698ea081a8addf7858 (diff) |
evaluate: validate maximum log statement prefix length
commit 6ceec21204e0260af2d50e9e987d0fe3c79c28d4 upstream.
Otherwise too long string overruns the log prefix buffer.
Fixes: e76bb3794018 ("src: allow for variables in the log prefix string")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1714
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/evaluate.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index c183832b..fd7354e9 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3946,8 +3946,13 @@ static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct stmt *stmt) struct expr *expr; size_t size = 0; - if (stmt->log.prefix->etype != EXPR_LIST) + if (stmt->log.prefix->etype != EXPR_LIST) { + if (stmt->log.prefix && + div_round_up(stmt->log.prefix->len, BITS_PER_BYTE) >= NF_LOG_PREFIXLEN) + return expr_error(ctx->msgs, stmt->log.prefix, "log prefix is too long"); + return 0; + } list_for_each_entry(expr, &stmt->log.prefix->expressions, list) { switch (expr->etype) { |