json: reject too long interface names

Blamed commit added a length check on ifnames to the bison parser.
Unfortunately that wasn't enough, json parser has the same issue.

Bogon results in:
BUG: Interface length 44 exceeds limit
nft: src/mnl.c:742: nft_dev_add: Assertion `0' failed.

After patch, included bogon results in:
Error: Invalid device at index 0. name d2345678999999999999999999999999999999012345 too long

I intentionally did not extend evaluate.c to catch this, past sentiment
was that frontends should not send garbage.

I'll send a followup patch to also catch this from eval stage in case there
are further reports for frontends passing in such long names.

Fixes: fa52bc225806 ("parser: reject zero-length interface names")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 15 insertions, 2 deletions

diff --git a/src/parser_json.c b/src/parser_json.c
index e3dd14cd..3195d529 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -2951,7 +2951,13 @@ static struct expr *json_parse_devs(struct json_ctx *ctx, json_t *root)
 	size_t index;
 
 	if (!json_unpack(root, "s", &dev)) {
-		tmp = constant_expr_alloc(int_loc, &string_type,
+		if (strlen(dev) >= IFNAMSIZ) {
+			json_error(ctx, "Device name %s too long", dev);
+			expr_free(expr);
+			return NULL;
+		}
+
+		tmp = constant_expr_alloc(int_loc, &ifname_type,
 					  BYTEORDER_HOST_ENDIAN,
 					  strlen(dev) * BITS_PER_BYTE, dev);
 		compound_expr_add(expr, tmp);
@@ -2969,7 +2975,14 @@ static struct expr *json_parse_devs(struct json_ctx *ctx, json_t *root)
 			expr_free(expr);
 			return NULL;
 		}
-		tmp = constant_expr_alloc(int_loc, &string_type,
+
+		if (strlen(dev) >= IFNAMSIZ) {
+			json_error(ctx, "Device name %s too long at index %zu", dev, index);
+			expr_free(expr);
+			return NULL;
+		}
+
+		tmp = constant_expr_alloc(int_loc, &ifname_type,
 					  BYTEORDER_HOST_ENDIAN,
 					  strlen(dev) * BITS_PER_BYTE, dev);
 		compound_expr_add(expr, tmp);