diff options
-rw-r--r-- | src/netlink.c | 7 | ||||
-rw-r--r-- | tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix | 5 |
2 files changed, 10 insertions, 2 deletions
diff --git a/src/netlink.c b/src/netlink.c index 76e6be58..32b18995 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -465,11 +465,14 @@ static void netlink_gen_range(const struct expr *expr, static void netlink_gen_prefix(const struct expr *expr, struct nft_data_linearize *nld) { - unsigned int len = div_round_up(expr->len, BITS_PER_BYTE) * 2; - unsigned char data[len]; + unsigned int len = (netlink_padded_len(expr->len) / BITS_PER_BYTE) * 2; + unsigned char data[NFT_MAX_EXPR_LEN_BYTES]; int offset; mpz_t v; + if (len > sizeof(data)) + BUG("Value export of %u bytes would overflow", len); + offset = netlink_export_pad(data, expr->prefix->value, expr); mpz_init_bitmask(v, expr->len - expr->prefix_len); mpz_add(v, expr->prefix->value, v); diff --git a/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix new file mode 100644 index 00000000..23c2dc31 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix @@ -0,0 +1,5 @@ +table ip test { + chain test { + tcp dport set ip daddr map { 192.168.0.1 : 0x000/0001 } + } +} |