set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT

Assuming max data_len of 16 * 4B and no zero bytes in 'data': The while loop will increment field_count, use it as index for the field_len array and afterwards make sure it hasn't increased to NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass the check, get incremented to 16 and used as index to the 16 fields long array. Use a less fancy for-loop to avoid the increment vs. check problem. Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Phil Sutter <phil@nwl.cc> 2024-11-27 16:30:08 +0100
committer: Phil Sutter <phil@nwl.cc> 2024-12-04 15:43:50 +0100
commit: 7cb2a63d67af14576988631e916404592f261fd4 (patch)
tree: 401823d2d0d388318612cb12b5769aa872845c60 /src
parent: 1b167c52ff3f582afc3ff20d632b40f50b9b5c3f (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/set.c b/src/set.c
index d2f6a94..a020844 100644
--- a/src/set.c
+++ b/src/set.c
@@ -185,8 +185,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
 			return -1;
 
 		memcpy(&s->desc.field_len, data, data_len);
-		while (s->desc.field_len[++s->desc.field_count]) {
-			if (s->desc.field_count >= NFT_REG32_COUNT)
+		for (s->desc.field_count = 0;
+		     s->desc.field_count < NFT_REG32_COUNT;
+		     s->desc.field_count++) {
+			if (!s->desc.field_len[s->desc.field_count])
 				break;
 		}
 		break;
author	Phil Sutter <phil@nwl.cc>	2024-11-27 16:30:08 +0100
committer	Phil Sutter <phil@nwl.cc>	2024-12-04 15:43:50 +0100
commit	7cb2a63d67af14576988631e916404592f261fd4 (patch)
tree	401823d2d0d388318612cb12b5769aa872845c60 /src
parent	1b167c52ff3f582afc3ff20d632b40f50b9b5c3f (diff)