|
|
4b2fc1 |
From 19c9a7bfb73f33f50675f31f3664556105a50086 Mon Sep 17 00:00:00 2001
|
|
|
4b2fc1 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
4b2fc1 |
Date: Tue, 28 Feb 2017 18:14:53 +0100
|
|
|
4b2fc1 |
Subject: [PATCH] evaluate: Fix datalen checks in expr_evaluate_string()
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360240
|
|
|
4b2fc1 |
Upstream Status: nftables commit 7a5b4c505e4d4
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
commit 7a5b4c505e4d460239ac8a36b4fbccf222cd6134
|
|
|
4b2fc1 |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
4b2fc1 |
Date: Tue Aug 30 19:39:49 2016 +0200
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
evaluate: Fix datalen checks in expr_evaluate_string()
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
I have been told that the flex scanner won't return empty strings, so
|
|
|
4b2fc1 |
strlen(data) should always be greater 0. To avoid a hard to debug issue
|
|
|
4b2fc1 |
though, add an assert() to make sure this is always the case before
|
|
|
4b2fc1 |
risking an unsigned variable underrun.
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
A real issue though is the check for 'datalen - 1 >= 0', which will
|
|
|
4b2fc1 |
never fail due to datalen being unsigned. Fix this by incrementing both
|
|
|
4b2fc1 |
sides by one, hence checking 'datalen >= 1'.
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
4b2fc1 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
4b2fc1 |
---
|
|
|
4b2fc1 |
src/evaluate.c | 3 ++-
|
|
|
4b2fc1 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
|
4b2fc1 |
index f24e5f3..5e3c158 100644
|
|
|
4b2fc1 |
--- a/src/evaluate.c
|
|
|
4b2fc1 |
+++ b/src/evaluate.c
|
|
|
4b2fc1 |
@@ -248,6 +248,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
|
|
|
4b2fc1 |
memset(data + len, 0, data_len - len);
|
|
|
4b2fc1 |
mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
+ assert(strlen(data) > 0);
|
|
|
4b2fc1 |
datalen = strlen(data) - 1;
|
|
|
4b2fc1 |
if (data[datalen] != '*') {
|
|
|
4b2fc1 |
/* We need to reallocate the constant expression with the right
|
|
|
4b2fc1 |
@@ -261,7 +262,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
|
|
|
4b2fc1 |
return 0;
|
|
|
4b2fc1 |
}
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
- if (datalen - 1 >= 0 &&
|
|
|
4b2fc1 |
+ if (datalen >= 1 &&
|
|
|
4b2fc1 |
data[datalen - 1] == '\\') {
|
|
|
4b2fc1 |
char unescaped_str[data_len];
|
|
|
4b2fc1 |
|
|
|
4b2fc1 |
--
|
|
|
4b2fc1 |
1.8.3.1
|
|
|
4b2fc1 |
|