From bed99830c4c63eae205c28a7ff914737bedb199d Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 24 Jun 2025 23:46:59 +0200 Subject: json: reject too long interface names Blamed commit added a length check on ifnames to the bison parser. Unfortunately that wasn't enough, json parser has the same issue. Bogon results in: BUG: Interface length 44 exceeds limit nft: src/mnl.c:742: nft_dev_add: Assertion `0' failed. After patch, included bogon results in: Error: Invalid device at index 0. name d2345678999999999999999999999999999999012345 too long I intentionally did not extend evaluate.c to catch this, past sentiment was that frontends should not send garbage. I'll send a followup patch to also catch this from eval stage in case there are further reports for frontends passing in such long names. Fixes: fa52bc225806 ("parser: reject zero-length interface names") Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso --- src/parser_json.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/parser_json.c b/src/parser_json.c index e3dd14cd..3195d529 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -2951,7 +2951,13 @@ static struct expr *json_parse_devs(struct json_ctx *ctx, json_t *root) size_t index; if (!json_unpack(root, "s", &dev)) { - tmp = constant_expr_alloc(int_loc, &string_type, + if (strlen(dev) >= IFNAMSIZ) { + json_error(ctx, "Device name %s too long", dev); + expr_free(expr); + return NULL; + } + + tmp = constant_expr_alloc(int_loc, &ifname_type, BYTEORDER_HOST_ENDIAN, strlen(dev) * BITS_PER_BYTE, dev); compound_expr_add(expr, tmp); @@ -2969,7 +2975,14 @@ static struct expr *json_parse_devs(struct json_ctx *ctx, json_t *root) expr_free(expr); return NULL; } - tmp = constant_expr_alloc(int_loc, &string_type, + + if (strlen(dev) >= IFNAMSIZ) { + json_error(ctx, "Device name %s too long at index %zu", dev, index); + expr_free(expr); + return NULL; + } + + tmp = constant_expr_alloc(int_loc, &ifname_type, BYTEORDER_HOST_ENDIAN, strlen(dev) * BITS_PER_BYTE, dev); compound_expr_add(expr, tmp); -- cgit v1.2.3