diff options
author | Dan Carpenter <dan.carpenter@linaro.org> | 2023-11-03 09:42:51 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-14 16:16:21 +0100 |
commit | c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 (patch) | |
tree | 8affa98af2d39162ba70c261a130b2f8d1a3b7ae /net/netfilter/nft_meta.c | |
parent | a44af08e3d4d7566eeea98d7a29fe06e7b9de944 (diff) | |
download | linux-stable-c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63.tar.gz linux-stable-c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63.tar.bz2 linux-stable-c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63.zip |
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
The problem is in nft_byteorder_eval() where we are iterating through a
loop and writing to dst[0], dst[1], dst[2] and so on... On each
iteration we are writing 8 bytes. But dst[] is an array of u32 so each
element only has space for 4 bytes. That means that every iteration
overwrites part of the previous element.
I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
issue. I think that the reason we have not detected this bug in testing
is that most of time we only write one element.
Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nft_meta.c')
-rw-r--r-- | net/netfilter/nft_meta.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index f7da7c43333b..ba0d3683a45d 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -63,7 +63,7 @@ nft_meta_get_eval_time(enum nft_meta_keys key, { switch (key) { case NFT_META_TIME_NS: - nft_reg_store64(dest, ktime_get_real_ns()); + nft_reg_store64((u64 *)dest, ktime_get_real_ns()); break; case NFT_META_TIME_DAY: nft_reg_store8(dest, nft_meta_weekday()); |