diff options
| author | Florian Westphal <fw@strlen.de> | 2025-03-14 07:50:54 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2025-03-18 20:24:14 +0100 |
| commit | 37dfb1972cae061c09f278933af998a7c4fc2696 (patch) | |
| tree | b0467ba68f62219e701a0e58cf02ee6987e2ddfe /configure.ac | |
| parent | 3b92dc32e60e8c24c783af8d90a0928d71d520f4 (diff) | |
netlink: fix stack buffer overrun when emitting ranged expressions
Included bogon input generates following Sanitizer splat:
AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7...
WRITE of size 2 at 0x7fffffffcbe4 thread T0
#0 0x0000003a68b8 in __asan_memset (src/nft+0x3a68b8) (BuildId: 3678ff51a5405c77e3e0492b9a985910efee73b8)
#1 0x0000004eb603 in __mpz_export_data src/gmputil.c:108:2
#2 0x0000004eb603 in netlink_export_pad src/netlink.c:256:2
#3 0x0000004eb603 in netlink_gen_range src/netlink.c:471:2
#4 0x0000004ea250 in __netlink_gen_data src/netlink.c:523:10
#5 0x0000004e8ee3 in alloc_nftnl_setelem src/netlink.c:205:3
#6 0x0000004d4541 in mnl_nft_setelem_batch src/mnl.c:1816:11
Problem is that the range end is emitted to the buffer at the *padded*
location (rounded up to next register size), but buffer sizing is
based of the expression length, not the padded length.
Also extend the test script: Capture stderr and if we see
AddressSanitizer warning, make it fail.
Same bug as the one fixed in 600b84631410 ("netlink: fix stack buffer overflow with sub-reg sized prefixes"),
just in a different function.
Apply same fix: no dynamic array + add a range check.
Joint work with Pablo Neira Ayuso.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'configure.ac')
0 files changed, 0 insertions, 0 deletions