src: reject large raw payload and concat expressions

The kernel will reject this too, but unfortunately nft may try to cram the data into the underlying libnftnl expr. This causes heap corruption or BUG: nld buffer overflow: want to copy 132, max 64 After: Error: Concatenation of size 544 exceeds maximum size of 512 udp length . @th,0,512 . @th,512,512 { 47-63 . 0xe373135363130 . 0x33131303735353203 } ^^^^^^^^^ resp. same warning for an over-sized raw expression. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2023-12-12 19:13:14 +0100
committer: Florian Westphal <fw@strlen.de> 2023-12-15 02:27:14 +0100
commit: ef10d65db278d77208e960d210a1f4f532ebb552 (patch)
tree: 354f10077f748e440f15b205071610c7c1f273b3 /src/evaluate.c
parent: 8eeedce89d8bf0ad58da398782c2ca8a91d83a32 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 1c5078d6..87cd68d3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1591,6 +1591,10 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
 		}
 
 		ctx->inner_desc = NULL;
+
+		if (size > NFT_MAX_EXPR_LEN_BITS)
+			return expr_error(ctx->msgs, i, "Concatenation of size %u exceeds maximum size of %u",
+					  size, NFT_MAX_EXPR_LEN_BITS);
 	}
 
 	(*expr)->flags |= flags;
@@ -4719,6 +4723,10 @@ static int set_expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
 
 		(*expr)->field_len[(*expr)->field_count++] = dsize_bytes;
 		size += netlink_padded_len(i->len);
+
+		if (size > NFT_MAX_EXPR_LEN_BITS)
+			return expr_error(ctx->msgs, i, "Concatenation of size %u exceeds maximum size of %u",
+					  size, NFT_MAX_EXPR_LEN_BITS);
 	}
 
 	(*expr)->flags |= flags;
author	Florian Westphal <fw@strlen.de>	2023-12-12 19:13:14 +0100
committer	Florian Westphal <fw@strlen.de>	2023-12-15 02:27:14 +0100
commit	ef10d65db278d77208e960d210a1f4f532ebb552 (patch)
tree	354f10077f748e440f15b205071610c7c1f273b3 /src/evaluate.c
parent	8eeedce89d8bf0ad58da398782c2ca8a91d83a32 (diff)