From 19c9a7bfb73f33f50675f31f3664556105a50086 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 28 Feb 2017 18:14:53 +0100
Subject: [PATCH] evaluate: Fix datalen checks in expr_evaluate_string()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360240
Upstream Status: nftables commit 7a5b4c505e4d4
commit 7a5b4c505e4d460239ac8a36b4fbccf222cd6134
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Aug 30 19:39:49 2016 +0200
evaluate: Fix datalen checks in expr_evaluate_string()
I have been told that the flex scanner won't return empty strings, so
strlen(data) should always be greater 0. To avoid a hard to debug issue
though, add an assert() to make sure this is always the case before
risking an unsigned variable underrun.
A real issue though is the check for 'datalen - 1 >= 0', which will
never fail due to datalen being unsigned. Fix this by incrementing both
sides by one, hence checking 'datalen >= 1'.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index f24e5f3..5e3c158 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -248,6 +248,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
memset(data + len, 0, data_len - len);
mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);
+ assert(strlen(data) > 0);
datalen = strlen(data) - 1;
if (data[datalen] != '*') {
/* We need to reallocate the constant expression with the right
@@ -261,7 +262,7 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
return 0;
}
- if (datalen - 1 >= 0 &&
+ if (datalen >= 1 &&
data[datalen - 1] == '\\') {
char unescaped_str[data_len];
--
1.8.3.1