From 19c9a7bfb73f33f50675f31f3664556105a50086 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Tue, 28 Feb 2017 18:14:53 +0100

Subject: [PATCH] evaluate: Fix datalen checks in expr_evaluate_string()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360240

Upstream Status: nftables commit 7a5b4c505e4d4

commit 7a5b4c505e4d460239ac8a36b4fbccf222cd6134

Author: Phil Sutter <phil@nwl.cc>

Date:   Tue Aug 30 19:39:49 2016 +0200

    evaluate: Fix datalen checks in expr_evaluate_string()

    I have been told that the flex scanner won't return empty strings, so

    strlen(data) should always be greater 0. To avoid a hard to debug issue

    though, add an assert() to make sure this is always the case before

    risking an unsigned variable underrun.

    A real issue though is the check for 'datalen - 1 >= 0', which will

    never fail due to datalen being unsigned. Fix this by incrementing both

    sides by one, hence checking 'datalen >= 1'.

    Signed-off-by: Phil Sutter <phil@nwl.cc>

    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

---

 src/evaluate.c | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c

index f24e5f3..5e3c158 100644

--- a/src/evaluate.c

+++ b/src/evaluate.c

@@ -248,6 +248,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)

 	memset(data + len, 0, data_len - len);

 	mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);

+	assert(strlen(data) > 0);

 	datalen = strlen(data) - 1;

 	if (data[datalen] != '*') {

 		/* We need to reallocate the constant expression with the right

@@ -261,7 +262,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)

 		return 0;

 	}

-	if (datalen - 1 >= 0 &&

+	if (datalen >= 1 &&

 	    data[datalen - 1] == '\\') {

 		char unescaped_str[data_len];

-- 

1.8.3.1