From bc2afbde9eae491bcef23ef5b24b25c7605ad911 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 12 Dec 2023 15:01:17 +0100 Subject: expr: fix buffer overflows in data value setters The data value setters memcpy() to a fixed-size buffer, but its very easy to make nft pass too-larger values. Example: @th,160,1272 gt 0 ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..] Truncate the copy instead of corrupting the heap. This needs additional fixes on nft side to reject such statements with a proper error message. Signed-off-by: Florian Westphal --- src/expr/cmp.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'src/expr/cmp.c') diff --git a/src/expr/cmp.c b/src/expr/cmp.c index f9d15bb..1d396e8 100644 --- a/src/expr/cmp.c +++ b/src/expr/cmp.c @@ -42,9 +42,7 @@ nftnl_expr_cmp_set(struct nftnl_expr *e, uint16_t type, memcpy(&cmp->op, data, sizeof(cmp->op)); break; case NFTNL_EXPR_CMP_DATA: - memcpy(&cmp->data.val, data, data_len); - cmp->data.len = data_len; - break; + return nftnl_data_cpy(&cmp->data, data, data_len); default: return -1; } -- cgit v1.2.3