On 2022-09-03, at 14:53:45 +0100, Adam D. Barratt wrote: > On Fri, 2022-08-19 at 16:05 +0100, Jeremy Sowden wrote: > > The related nftables bug is: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359 > > > > [ Reason ] > > nftables uses a fixed-size array containing the locations of the > > expressions within each rule that it sends to the kernel to provide > > more informative error-reporting. If the rule is rejected by the > > kernel, the kernel will provide an ID for the expression which was > > responsible, and nftables will use this to highlight it when > > outputting the rule in the error message: > > > > # nft add rule t c iif lo reject with icmp 255 > > Error: Could not process rule: Invalid argument > > add rule t c iif lo reject with icmp 255 > > ^^^^^^ > > > > There is an off-by-one error in the bounds-checking used before > > adding the details of an expression to this array. The result of > > this is that if a rule contains enough expressions, nftables will > > write past the end of the array leading to memory-corruption and > > possibly crashes. > > The debdiff is somewhat confusing. > > +nftables (0.9.8-3.2) unstable; urgency=medium > > This is an upload to bullseye, not unstable. Additionally, the version > should be 0.9.8-3.1+deb11u1. > > + -- Sven Auhagen <sven.auha...@voleatech.de> Sat, 16 Jul 2022 11:29:27 +0200 > > Who is this? It's obviously not you, but also doesn't appear to be > related to the nftables bug report you mentioned.
Whoops. Silly mistakes. Still learning the ropes. I've amended the change-log entry. I've also added myself to `Uploaders` (I am already listed as one in testing and unstable). New debdiff attached. Thanks for the pointers, J.
diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog --- nftables-0.9.8/debian/changelog 2021-07-20 09:01:47.000000000 +0100 +++ nftables-0.9.8/debian/changelog 2022-09-04 09:34:11.000000000 +0100 @@ -1,3 +1,14 @@ +nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium + + * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch + It fixes a one off for the check for NFT_NLATTR_LOC_MAX + which leads to double free or corruption (out) error. + Thanks to Sven Auhagen <sven.auha...@voleatech.de> for + suggesting the fix (closes: #1017359). + * d/control: add myself to uploaders. + + -- Jeremy Sowden <jer...@azazel.net> Sun, 04 Sep 2022 09:34:11 +0100 + nftables (0.9.8-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru nftables-0.9.8/debian/control nftables-0.9.8/debian/control --- nftables-0.9.8/debian/control 2021-07-20 09:01:47.000000000 +0100 +++ nftables-0.9.8/debian/control 2022-09-04 09:34:11.000000000 +0100 @@ -2,7 +2,8 @@ Section: net Priority: important Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-t...@lists.alioth.debian.org> -Uploaders: Arturo Borrero Gonzalez <art...@debian.org> +Uploaders: Arturo Borrero Gonzalez <art...@debian.org>, + Jeremy Sowden <jer...@azazel.net> Build-Depends: asciidoc-base, automake, bison, diff -Nru nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch --- nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch 1970-01-01 01:00:00.000000000 +0100 +++ nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch 2022-09-04 09:26:53.000000000 +0100 @@ -0,0 +1,32 @@ +From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001 +From: Phil Sutter <p...@nwl.cc> +Date: Fri, 11 Jun 2021 17:08:34 +0200 +Subject: rule: Fix for potential off-by-one in cmd_add_loc() + +Using num_attrs as index means it must be at max one less than the +array's size at function start. + +Fixes: 27362a5bfa433 ("rule: larger number of error locations") +Signed-off-by: Phil Sutter <p...@nwl.cc> +--- + src/rule.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +(limited to 'src/rule.c') + +diff --git a/src/rule.c b/src/rule.c +index dbbe744e..92daf2f3 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, + + void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc) + { +- if (cmd->num_attrs > NFT_NLATTR_LOC_MAX) ++ if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX) + return; + + cmd->attr[cmd->num_attrs].offset = offset; +-- +cgit v1.2.3 + diff -Nru nftables-0.9.8/debian/patches/series nftables-0.9.8/debian/patches/series --- nftables-0.9.8/debian/patches/series 2021-07-20 09:01:47.000000000 +0100 +++ nftables-0.9.8/debian/patches/series 2022-09-04 09:26:53.000000000 +0100 @@ -1 +1,2 @@ payload-check-icmp-dependency-before-removing-previo.patch +rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
signature.asc
Description: PGP signature