From bc2afbde9eae491bcef23ef5b24b25c7605ad911 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 12 Dec 2023 15:01:17 +0100 Subject: expr: fix buffer overflows in data value setters The data value setters memcpy() to a fixed-size buffer, but its very easy to make nft pass too-larger values. Example: @th,160,1272 gt 0 ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000[..] Truncate the copy instead of corrupting the heap. This needs additional fixes on nft side to reject such statements with a proper error message. Signed-off-by: Florian Westphal --- src/expr/data_reg.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/expr/data_reg.c') diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index 2633a77..690b23d 100644 --- a/src/expr/data_reg.c +++ b/src/expr/data_reg.c @@ -217,3 +217,17 @@ void nftnl_free_verdict(const union nftnl_data_reg *data) break; } } + +int nftnl_data_cpy(union nftnl_data_reg *dreg, const void *src, uint32_t len) +{ + int ret = 0; + + if (len > sizeof(dreg->val)) { + len = sizeof(dreg->val); + ret = -1; + } + + memcpy(dreg->val, src, len); + dreg->len = len; + return ret; +} -- cgit v1.2.3