diff options
author | Florian Westphal <fw@strlen.de> | 2023-12-13 17:37:11 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2023-12-13 18:11:20 +0100 |
commit | 7008b1200fb4988b7cd7ee1c5399cae071688d50 (patch) | |
tree | 36e8e52f1a5bb8ceb1afa030dad3834757686e21 /tests/shell | |
parent | c0194279d356f942e81555262e41264af7659a1f (diff) |
meta: fix tc classid parsing out-of-bounds access
AddressSanitizer: heap-buffer-overflow on address 0x6020000003af ...
#0 0x7f9a83cbb402 in tchandle_type_parse src/meta.c:89
#1 0x7f9a83c6753f in symbol_parse src/datatype.c:138
strlen() - 1 can underflow if length was 0.
Simplify the function, there is no need to duplicate the string
while scanning it.
Expect the first strtol to stop at ':', scan for the minor number next.
The second scan is required to stop at '\0'.
Fixes: 6f2eb8548e0d ("src: meta priority support using tc classid")
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/shell')
-rw-r--r-- | tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow new file mode 100644 index 00000000..ea7186bf --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/tchandle_type_parse_heap_overflow @@ -0,0 +1,6 @@ +table t { +map m { + type ipv4_addr : classid + elements = { 1.1.26.3 : ::a } +} +} |