diff options
| author | Florian Westphal <fw@strlen.de> | 2023-12-08 15:34:29 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2023-12-12 15:20:41 +0100 |
| commit | 130060afa9f6f11e14ea5cf372545407179f16ac (patch) | |
| tree | a30d250d7129ac8f1d3adbeb0e4b3d47baabe9ad /include/netlink.h | |
| parent | 21608263cc1ae489326e743957bfe34b05414a44 (diff) | |
netlink: add and use nft_data_memcpy helper
There is a stack overflow somewhere in this code, we end
up memcpy'ing a way too large expr into a fixed-size on-stack
buffer.
This is hard to diagnose, most of this code gets inlined so
the crash happens later on return from alloc_nftnl_setelem.
Condense the mempy into a helper and add a BUG so we can catch
the overflow before it occurs.
->value is too small (4, should be 16), but for normal
cases (well-formed data must fit into max reg space, i.e.
64 byte) the chain buffer that comes after value in the
structure provides a cushion.
In order to have the new BUG() not trigger on valid data,
bump value to the correct size, this is userspace so the additional
60 bytes of stack usage is no concern.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/netlink.h')
| -rw-r--r-- | include/netlink.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/netlink.h b/include/netlink.h index 6766d7e8..32f8a3e5 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -100,7 +100,7 @@ extern struct nftnl_rule *netlink_rule_alloc(const struct nlmsghdr *nlh); struct nft_data_linearize { uint32_t len; - uint32_t value[4]; + uint32_t value[NFT_REG32_COUNT]; char chain[NFT_CHAIN_MAXNAMELEN]; uint32_t chain_id; int verdict; |