libnftnl-1.2.8-2.el10
* Wed Dec 04 2024 Phil Sutter <psutter@redhat.com> [1.2.8-2.el10] - set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT (Phil Sutter) [RHEL-34697] Resolves: RHEL-34697
This commit is contained in:
parent
a984b9640c
commit
4047161126
@ -0,0 +1,48 @@
|
||||
From 73e56f12f39cf114532eb37119ac84865ffd71fd Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 4 Dec 2024 16:20:16 +0100
|
||||
Subject: [PATCH] set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-34697
|
||||
Upstream Status: libnftnl commit 7cb2a63d67af14576988631e916404592f261fd4
|
||||
|
||||
commit 7cb2a63d67af14576988631e916404592f261fd4
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed Nov 27 16:30:08 2024 +0100
|
||||
|
||||
set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT
|
||||
|
||||
Assuming max data_len of 16 * 4B and no zero bytes in 'data':
|
||||
The while loop will increment field_count, use it as index for the
|
||||
field_len array and afterwards make sure it hasn't increased to
|
||||
NFT_REG32_COUNT. Thus a value of NFT_REG32_COUNT - 1 (= 15) will pass
|
||||
the check, get incremented to 16 and used as index to the 16 fields long
|
||||
array.
|
||||
Use a less fancy for-loop to avoid the increment vs. check problem.
|
||||
|
||||
Fixes: 407f616ea5318 ("set: buffer overflow in NFTNL_SET_DESC_CONCAT setter")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
src/set.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/set.c b/src/set.c
|
||||
index 75ad64e..e9048e0 100644
|
||||
--- a/src/set.c
|
||||
+++ b/src/set.c
|
||||
@@ -189,8 +189,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
|
||||
return -1;
|
||||
|
||||
memcpy(&s->desc.field_len, data, data_len);
|
||||
- while (s->desc.field_len[++s->desc.field_count]) {
|
||||
- if (s->desc.field_count >= NFT_REG32_COUNT)
|
||||
+ for (s->desc.field_count = 0;
|
||||
+ s->desc.field_count < NFT_REG32_COUNT;
|
||||
+ s->desc.field_count++) {
|
||||
+ if (!s->desc.field_len[s->desc.field_count])
|
||||
break;
|
||||
}
|
||||
break;
|
||||
@ -1,14 +1,12 @@
|
||||
%define libnftnl_rpmversion 1.2.8
|
||||
%define libnftnl_specrelease 1
|
||||
|
||||
Name: libnftnl
|
||||
Version: %{libnftnl_rpmversion}
|
||||
Release: %{libnftnl_specrelease}%{?dist}%{?buildid}
|
||||
Version: 1.2.8
|
||||
Release: 2%{?dist}
|
||||
Summary: Library for low-level interaction with nftables Netlink's API over libmnl
|
||||
License: GPL-2.0-or-later
|
||||
URL: https://netfilter.org/projects/libnftnl/
|
||||
Source0: %{url}/files/%{name}-%{version}.tar.xz
|
||||
|
||||
Patch1: 0001-set-Fix-for-array-overrun-when-setting-NFTNL_SET_DES.patch
|
||||
|
||||
BuildRequires: libmnl-devel
|
||||
BuildRequires: gcc
|
||||
@ -57,6 +55,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
||||
%{_includedir}/libnftnl
|
||||
|
||||
%changelog
|
||||
* Wed Dec 04 2024 Phil Sutter <psutter@redhat.com> [1.2.8-2.el10]
|
||||
- set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT (Phil Sutter) [RHEL-34697]
|
||||
|
||||
* Thu Nov 07 2024 Phil Sutter <psutter@redhat.com> [1.2.8-1.el10]
|
||||
- Rebase onto version 1.2.8 (Phil Sutter) [RHEL-66276]
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user