diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-05-05 19:21:56 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-05-05 19:23:58 +0200 |
commit | eea03c8fb560a8a6deede1bccbce78b52b2c2905 (patch) | |
tree | f9d594e7e6c7f9fe044e153e47d615da9e49e1a1 /src | |
parent | 506fb113f7ca4fbb3d6da09ef6f9dc2b31f54a1f (diff) |
src: add rule_stmt_insert_at() and use it
This helper function adds a statement at a given position and it updates
the rule statement counter.
This patch fixes this:
flush table bridge test-bridge
add rule bridge test-bridge input vlan id 1 ip saddr 10.0.0.1
rule.c:2870:5: runtime error: index 2 out of bounds for type 'stmt *[*]'
=================================================================
==1043==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdd69c1350 at pc 0x7f1036f53330 bp 0x7ffdd69c1300 sp 0x7ffdd69c12f8
WRITE of size 8 at 0x7ffdd69c1350 thread T0
#0 0x7f1036f5332f in payload_try_merge /home/mbr/nftables/src/rule.c:2870
#1 0x7f1036f534b7 in rule_postprocess /home/mbr/nftables/src/rule.c:2885
#2 0x7f1036fb2785 in rule_evaluate /home/mbr/nftables/src/evaluate.c:3744
#3 0x7f1036fb627b in cmd_evaluate_add /home/mbr/nftables/src/evaluate.c:3982
#4 0x7f1036fbb9e9 in cmd_evaluate /home/mbr/nftables/src/evaluate.c:4462
#5 0x7f10370652d2 in nft_evaluate /home/mbr/nftables/src/libnftables.c:414
#6 0x7f1037065ba1 in nft_run_cmd_from_buffer /home/mbr/nftables/src/libnftables.c:447
Reported-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 9 | ||||
-rw-r--r-- | src/rule.c | 7 |
2 files changed, 12 insertions, 4 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 59714131..4cf28987 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -659,7 +659,7 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx, if (err < 0) return err; - list_add_tail(&nstmt->list, &ctx->stmt->list); + rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); } assert(base <= PROTO_BASE_MAX); @@ -673,7 +673,7 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx, return 1; payload->payload.offset += ctx->pctx.protocol[base].offset; - list_add_tail(&nstmt->list, &ctx->stmt->list); + rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); return 0; } @@ -698,7 +698,8 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr) if (desc == NULL) { if (payload_gen_dependency(ctx, payload, &nstmt) < 0) return -1; - list_add_tail(&nstmt->list, &ctx->stmt->list); + + rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); } else { /* No conflict: Same payload protocol as context, adjust offset * if needed. @@ -840,8 +841,8 @@ static int ct_gen_nh_dependency(struct eval_ctx *ctx, struct expr *ct) relational_expr_pctx_update(&ctx->pctx, dep); nstmt = expr_stmt_alloc(&dep->location, dep); + rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); - list_add_tail(&nstmt->list, &ctx->stmt->list); return 0; } @@ -686,6 +686,13 @@ struct rule *rule_lookup_by_index(const struct chain *chain, uint64_t index) return NULL; } +void rule_stmt_insert_at(struct rule *rule, struct stmt *nstmt, + struct stmt *stmt) +{ + list_add_tail(&nstmt->list, &stmt->list); + rule->num_stmts++; +} + struct scope *scope_alloc(void) { struct scope *scope = xzalloc(sizeof(struct scope)); |