expr: fix buffer overflows in data value setters

The data value setters memcpy() to a fixed-size buffer, but its very easy to make nft pass too-larger values. Example: @th,160,1272 gt 0 ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..] Truncate the copy instead of corrupting the heap. This needs additional fixes on nft side to reject such statements with a proper error message. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2023-12-12 15:01:17 +0100
committer: Florian Westphal <fw@strlen.de> 2023-12-12 16:11:15 +0100
commit: bc2afbde9eae491bcef23ef5b24b25c7605ad911 (patch)
tree: becc43a77fdf77975b5cfa3f61de8dea7cf4ee7c /src/expr/cmp.c
parent: ff117f50d2f99c03a65b4952b1a6988a8adc700f (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/src/expr/cmp.c b/src/expr/cmp.c
index f9d15bb..1d396e8 100644
--- a/src/expr/cmp.c
+++ b/src/expr/cmp.c
@@ -42,9 +42,7 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type,
 		memcpy(&cmp->op, data, sizeof(cmp->op));
 		break;
 	case NFTNL_EXPR_CMP_DATA:
-		memcpy(&cmp->data.val, data, data_len);
-		cmp->data.len = data_len;
-		break;
+		return nftnl_data_cpy(&cmp->data, data, data_len);
 	default:
 		return -1;
 	}
author	Florian Westphal <fw@strlen.de>	2023-12-12 15:01:17 +0100
committer	Florian Westphal <fw@strlen.de>	2023-12-12 16:11:15 +0100
commit	bc2afbde9eae491bcef23ef5b24b25c7605ad911 (patch)
tree	becc43a77fdf77975b5cfa3f61de8dea7cf4ee7c /src/expr/cmp.c
parent	ff117f50d2f99c03a65b4952b1a6988a8adc700f (diff)