[nft] payload: assert when accessing inner transport header

Message ID	1420459464-21821-1-git-send-email-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-103.2/7.5):. Processed in 1.985881 secs); 05 Jan 2015 12:01:40 -0000 From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Cc: kaber@trash.net Subject: [PATCH nft] payload: assert when accessing inner transport header Date: Mon, 5 Jan 2015 13:04:24 +0100 Message-Id: <1420459464-21821-1-git-send-email-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

1420459464-21821-1-git-send-email-pablo@netfilter.org

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net
Subject: [PATCH nft] payload: assert when accessing inner transport header
Date: Mon,  5 Jan 2015 13:04:24 +0100
Message-Id: <1420459464-21821-1-git-send-email-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Pablo Neira Ayuso Jan. 5, 2015, 12:04 p.m. UTC

Instead of segfaulting due to out of bound access access to protocol
context array ctx->protocol[base].location from proto_ctx_update().

 # nft add rule filter input ah nexthdr tcp
 nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
So we avoid a crash. I think we have to add PROTO_BASE_INNER_HDR to proto_bases
and add some extra offsets for the inner header for this case. At least, I'd
like to put this in the tree so we have this in our radar.

 src/payload.c |    1 +
 1 file changed, 1 insertion(+)

Comments

Patrick McHardy Jan. 5, 2015, 12:06 p.m. UTC | #1

On 05.01, Pablo Neira Ayuso wrote:
> Instead of segfaulting due to out of bound access access to protocol
> context array ctx->protocol[base].location from proto_ctx_update().
> 
>  # nft add rule filter input ah nexthdr tcp
>  nft: payload.c:88: payload_expr_pctx_update: Assertion `left->payload.base + 1 <= (__PROTO_BASE_MAX - 1)' failed.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> So we avoid a crash. I think we have to add PROTO_BASE_INNER_HDR to proto_bases
> and add some extra offsets for the inner header for this case. At least, I'd
> like to put this in the tree so we have this in our radar.

Yep, this looks fine for now. I'll think about a proper fix as well.

> 
>  src/payload.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/payload.c b/src/payload.c
> index 83742fb..08578fd 100644
> --- a/src/payload.c
> +++ b/src/payload.c
> @@ -85,6 +85,7 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
>  	base = ctx->protocol[left->payload.base].desc;
>  	desc = proto_find_upper(base, proto);
>  
> +	assert(left->payload.base + 1 <= PROTO_BASE_MAX);
>  	proto_ctx_update(ctx, left->payload.base + 1, &expr->location, desc);
>  }
>  
> -- 
> 1.7.10.4
> 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/src/payload.c b/src/payload.c
index 83742fb..08578fd 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -85,6 +85,7 @@  static void payload_expr_pctx_update(struct proto_ctx *ctx,
 	base = ctx->protocol[left->payload.base].desc;
 	desc = proto_find_upper(base, proto);
 
+	assert(left->payload.base + 1 <= PROTO_BASE_MAX);
 	proto_ctx_update(ctx, left->payload.base + 1, &expr->location, desc);
 }

[nft] payload: assert when accessing inner transport header

Commit Message

Comments

Patch