From 73e56f12f39cf114532eb37119ac84865ffd71fd Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 4 Dec 2024 16:20:16 +0100 Subject: [PATCH] set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT JIRA: https://issues.redhat.com/browse/RHEL-34697 Upstream Status: libnftnl commit 7cb2a63d67af14576988631e916404592f261fd4 commit 7cb2a63d67af14576988631e916404592f261fd4 Author: Phil Sutter Date: Wed Nov 27 16:30:08 2024 +0100 set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT Assuming max data_len of 16 * 4B and no zero bytes in 'data': The while loop will increment field_count, use it as index for the field_len array and afterwards make sure it hasn't increased to NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass the check, get incremented to 16 and used as index to the 16 fields long array. Use a less fancy for-loop to avoid the increment vs. check problem. Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter") Signed-off-by: Phil Sutter Reviewed-by: Pablo Neira Ayuso Signed-off-by: Phil Sutter --- src/set.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/set.c b/src/set.c index 75ad64e..e9048e0 100644 --- a/src/set.c +++ b/src/set.c @@ -189,8 +189,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data, return -1; memcpy(&s->desc.field_len, data, data_len); - while (s->desc.field_len[++s->desc.field_count]) { - if (s->desc.field_count >= NFT_REG32_COUNT) + for (s->desc.field_count = 0; + s->desc.field_count < NFT_REG32_COUNT; + s->desc.field_count++) { + if (!s->desc.field_len[s->desc.field_count]) break; } break;