From patchwork Thu Feb 15 14:29:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 873909 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zhzPB5Msnz9s72 for ; Fri, 16 Feb 2018 01:36:46 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1033149AbeBOOgp (ORCPT ); Thu, 15 Feb 2018 09:36:45 -0500 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:46474 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1033090AbeBOOgo (ORCPT ); Thu, 15 Feb 2018 09:36:44 -0500 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1emKbH-0000mu-D7; Thu, 15 Feb 2018 15:33:27 +0100 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nft] payload: don't decode past last valid template Date: Thu, 15 Feb 2018 15:29:38 +0100 Message-Id: <20180215142938.9653-1-fw@strlen.de> X-Mailer: git-send-email 2.16.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When trying to decode payload header fields, be sure to bail out when having exhausted all available templates. Otherwise, we allocate invalid payload expressions (no dataype, header length of 0) and then crash when trying to print them. Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1226 Signed-off-by: Florian Westphal Acked-by: Pablo Neira Ayuso --- src/payload.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/payload.c b/src/payload.c index 60090accbcd8..63c9f7157e4e 100644 --- a/src/payload.c +++ b/src/payload.c @@ -618,6 +618,10 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, for (i = 1; i < array_size(desc->templates); i++) { tmpl = &desc->templates[i]; + + if (tmpl->len == 0) + break; + if (tmpl->offset != expr->payload.offset) continue;