netfilter: nf_tables: out-of-bound check in chain blob

ummakynes · ummakynes · commit 08e42a0d3ad3 · 2023-06-07T00:43:44.000+02:00
Add current size of rule expressions to the boundary check. Fixes: 2c865a8 ("netfilter: nf_tables: add rule blob layout") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -9007,7 +9007,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
 				continue;
 			}
 
-			if (WARN_ON_ONCE(data + expr->ops->size > data_boundary))
+			if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
 				return -ENOMEM;
 
 			memcpy(data + size, expr, expr->ops->size);

Original file line number	Diff line number	Diff line change
`@@ -9007,7 +9007,7 @@ static int nf_tables_commit_chain_prepare(struct net net, struct nft_chain cha`
`9007`	`9007`	`continue;`
`9008`	`9008`	`}`
`9009`	`9009`
`9010`		`- if (WARN_ON_ONCE(data + expr->ops->size > data_boundary))`
	`9010`	`+ if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))`
`9011`	`9011`	`return -ENOMEM;`
`9012`	`9012`
`9013`	`9013`	`memcpy(data + size, expr, expr->ops->size);`