From 90d451ff23ebf1f8e0ca9d481b81f9d1ff69be5d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 2 Dec 2019 19:47:32 +0100 Subject: netlink: off-by-one write in netdev chain device array ==728473== Invalid write of size 8 ==728473== at 0x48960F2: netlink_delinearize_chain (netlink.c:422) ==728473== by 0x4896252: list_chain_cb (netlink.c:459) ==728473== by 0x4896252: list_chain_cb (netlink.c:441) ==728473== by 0x4F2C654: nftnl_chain_list_foreach (chain.c:1011) ==728473== by 0x489629F: netlink_list_chains (netlink.c:478) ==728473== by 0x4882303: cache_init_objects (rule.c:177) ==728473== by 0x4882303: cache_init (rule.c:222) ==728473== by 0x4882303: cache_update (rule.c:272) ==728473== by 0x48A7DCE: nft_evaluate (libnftables.c:408) ==728473== by 0x48A86D9: nft_run_cmd_from_buffer (libnftables.c:449) ==728473== by 0x10A5D6: main (main.c:338) Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") Signed-off-by: Pablo Neira Ayuso --- src/netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/netlink.c') diff --git a/src/netlink.c b/src/netlink.c index 7306e358..486e1247 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -415,7 +415,7 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, &policy); nftnl_chain_get_u32(nlc, NFTNL_CHAIN_POLICY); if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_DEV)) { - chain->dev_array = xmalloc(sizeof(char *)); + chain->dev_array = xmalloc(sizeof(char *) * 2); chain->dev_array_len = 1; chain->dev_array[0] = xstrdup(nftnl_chain_get_str(nlc, NFTNL_CHAIN_DEV)); @@ -425,7 +425,7 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, while (dev_array[len]) len++; - chain->dev_array = xmalloc(len * sizeof(char *)); + chain->dev_array = xmalloc((len + 1)* sizeof(char *)); for (i = 0; i < len; i++) chain->dev_array[i] = xstrdup(dev_array[i]); -- cgit v1.2.3