Message ID | 20180215142938.9653-1-fw@strlen.de |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [nft] payload: don't decode past last valid template | expand |
On Thu, Feb 15, 2018 at 03:29:38PM +0100, Florian Westphal wrote: > When trying to decode payload header fields, be sure to bail out > when having exhausted all available templates. > > Otherwise, we allocate invalid payload expressions (no dataype, > header length of 0) and then crash when trying to print them. > > Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226 > Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/payload.c b/src/payload.c index 60090accbcd8..63c9f7157e4e 100644 --- a/src/payload.c +++ b/src/payload.c @@ -618,6 +618,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, for (i = 1; i < array_size(desc->templates); i++) { tmpl = &desc->templates[i]; + + if (tmpl->len == 0) + break; + if (tmpl->offset != expr->payload.offset) continue;
When trying to decode payload header fields, be sure to bail out when having exhausted all available templates. Otherwise, we allocate invalid payload expressions (no dataype, header length of 0) and then crash when trying to print them. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226 Signed-off-by: Florian Westphal <fw@strlen.de> --- src/payload.c | 4 ++++ 1 file changed, 4 insertions(+)