diff options
author | Florian Westphal <fw@strlen.de> | 2023-12-20 15:40:54 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2023-12-20 16:26:30 +0100 |
commit | b9e19cc396347df8c7f8cf5d14ba1d6172040f16 (patch) | |
tree | b32162ee5340b71bc7fa2fcf64ca45a328ad9124 | |
parent | 588470e00539404fd793fe22718067721f5754be (diff) |
netlink: fix stack overflow due to erroneous rounding
Byteorder switch in this function may undersize the conversion
buffer by one byte, this needs to use div_round_up().
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r-- | src/netlink.c | 11 | ||||
-rw-r--r-- | tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow | 6 |
2 files changed, 14 insertions, 3 deletions
diff --git a/src/netlink.c b/src/netlink.c index 32b18995..3d685b57 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -254,6 +254,11 @@ static int netlink_export_pad(unsigned char *data, const mpz_t v, return netlink_padded_len(i->len) / BITS_PER_BYTE; } +static void byteorder_switch_expr_value(mpz_t v, const struct expr *e) +{ + mpz_switch_byteorder(v, div_round_up(e->len, BITS_PER_BYTE)); +} + static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i, unsigned char *data) { @@ -268,7 +273,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i, if (expr_basetype(expr)->type == TYPE_INTEGER && expr->byteorder == BYTEORDER_HOST_ENDIAN) - mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE); + byteorder_switch_expr_value(expr->value, expr); i = expr; break; @@ -280,7 +285,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i, mpz_init_bitmask(v, i->len - i->prefix_len); if (i->byteorder == BYTEORDER_HOST_ENDIAN) - mpz_switch_byteorder(v, i->len / BITS_PER_BYTE); + byteorder_switch_expr_value(v, i); mpz_add(v, i->prefix->value, v); count = netlink_export_pad(data, v, i); @@ -298,7 +303,7 @@ static int __netlink_gen_concat_key(uint32_t flags, const struct expr *i, expr = (struct expr *)i; if (expr_basetype(expr)->type == TYPE_INTEGER && expr->byteorder == BYTEORDER_HOST_ENDIAN) - mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE); + byteorder_switch_expr_value(expr->value, expr); break; default: BUG("invalid expression type '%s' in set", expr_ops(i)->name); diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow new file mode 100644 index 00000000..01640528 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/byteorder_switch_stack_overflow @@ -0,0 +1,6 @@ +table inet x { + chain nat_dns_acme { + udp length . @th,260,118 vmap { 47-63 . 0xe373135363130333131303735353203 : goto nat_dns_dnstc, } + drop + } +} |