[nft] payload: don't decode past last valid template

Message ID	20180215142938.9653-1-fw@strlen.de
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Cc: Florian Westphal <fw@strlen.de> Subject: [PATCH nft] payload: don't decode past last valid template Date: Thu, 15 Feb 2018 15:29:38 +0100 Message-Id: <20180215142938.9653-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[nft] payload: don't decode past last valid template \| expand [nft] payload: don't decode past last valid template

Message ID

20180215142938.9653-1-fw@strlen.de

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft] payload: don't decode past last valid template
Date: Thu, 15 Feb 2018 15:29:38 +0100
Message-Id: <20180215142938.9653-1-fw@strlen.de>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[nft] payload: don't decode past last valid template | expand

Commit Message

Florian Westphal Feb. 15, 2018, 2:29 p.m. UTC

When trying to decode payload header fields, be sure to bail out
when having exhausted all available templates.

Otherwise, we allocate invalid payload expressions (no dataype,
header length of 0) and then crash when trying to print them.

Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/payload.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Pablo Neira Ayuso Feb. 15, 2018, 2:41 p.m. UTC | #1

On Thu, Feb 15, 2018 at 03:29:38PM +0100, Florian Westphal wrote:
> When trying to decode payload header fields, be sure to bail out
> when having exhausted all available templates.
> 
> Otherwise, we allocate invalid payload expressions (no dataype,
> header length of 0) and then crash when trying to print them.
> 
> Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/src/payload.c b/src/payload.c
index 60090accbcd8..63c9f7157e4e 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -618,6 +618,10 @@  void payload_expr_expand(struct list_head *list, struct expr *expr,
 
 	for (i = 1; i < array_size(desc->templates); i++) {
 		tmpl = &desc->templates[i];
+
+		if (tmpl->len == 0)
+			break;
+
 		if (tmpl->offset != expr->payload.offset)
 			continue;

[nft] payload: don't decode past last valid template

Commit Message

Comments

Patch