From be0bae0ad31b0adb506f96de083f52a2bd0d4fbf Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 7 Mar 2024 14:49:08 +0100
Subject: expr: Respect data_len when setting attributes

With attr_policy in place, data_len has an upper boundary but it may be
lower than the attribute's storage area in which case memcpy() would
read garbage.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/expr/objref.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/expr/objref.c')

diff --git a/src/expr/objref.c b/src/expr/objref.c
index 59e1ddd..0053805 100644
--- a/src/expr/objref.c
+++ b/src/expr/objref.c
@@ -39,7 +39,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
 
 	switch(type) {
 	case NFTNL_EXPR_OBJREF_IMM_TYPE:
-		memcpy(&objref->imm.type, data, sizeof(objref->imm.type));
+		memcpy(&objref->imm.type, data, data_len);
 		break;
 	case NFTNL_EXPR_OBJREF_IMM_NAME:
 		objref->imm.name = strdup(data);
@@ -47,7 +47,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
 			return -1;
 		break;
 	case NFTNL_EXPR_OBJREF_SET_SREG:
-		memcpy(&objref->set.sreg, data, sizeof(objref->set.sreg));
+		memcpy(&objref->set.sreg, data, data_len);
 		break;
 	case NFTNL_EXPR_OBJREF_SET_NAME:
 		objref->set.name = strdup(data);
@@ -55,7 +55,7 @@ static int nftnl_expr_objref_set(struct nftnl_expr *e, uint16_t type,
 			return -1;
 		break;
 	case NFTNL_EXPR_OBJREF_SET_ID:
-		memcpy(&objref->set.id, data, sizeof(objref->set.id));
+		memcpy(&objref->set.id, data, data_len);
 		break;
 	}
 	return 0;
-- 
cgit v1.2.3