Patchwork [nft,RFC] mnl: Fix a potential buffer overflow

login
register
mail settings
Submitter Yuxuan Shui
Date March 14, 2014, 1:47 p.m.
Message ID <1394804825-6617-1-git-send-email-yshuiv7@gmail.com>
Download mbox | patch
Permalink /patch/330309/
State Deferred
Headers show

Comments

Yuxuan Shui - March 14, 2014, 1:47 p.m.
Use nft_set_elems_nlmsg_build_payload_check to prevent the buffer from
being overflowed.
---
 src/mnl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch

diff --git a/src/mnl.c b/src/mnl.c
index e825fb0..1dea2ed 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -709,7 +709,8 @@  int mnl_nft_setelem_add(struct mnl_socket *nf_sock, struct nft_set *nls,
 	nlh = nft_set_elem_nlmsg_build_hdr(buf, NFT_MSG_NEWSETELEM,
 			nft_set_attr_get_u32(nls, NFT_SET_ATTR_FAMILY),
 			NLM_F_CREATE | NLM_F_ACK | flags, seq);
-	nft_set_elems_nlmsg_build_payload(nlh, nls);
+	if (!nft_set_elems_nlmsg_build_payload_check(nlh, MNL_SOCKET_BUFFER_SIZE, nls))
+		BUG("Too many elements in set.\n");
 
 	return mnl_talk(nf_sock, nlh, nlh->nlmsg_len, NULL, NULL);
 }