Re: [PATCH nf v2] netfilter/osf: avoid OOB read
From: Wander Lairson Costa
Date: Thu Aug 31 2023 - 10:46:28 EST
On Thu, Aug 31, 2023 at 10:37 AM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Wander Lairson Costa <wander@xxxxxxxxxx> wrote:
> >
> > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> > index 8f1bfa6ccc2d..13fedf2aaa0f 100644
> > --- a/net/netfilter/nfnetlink_osf.c
> > +++ b/net/netfilter/nfnetlink_osf.c
> > @@ -315,6 +315,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> >
> > f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
> >
> > + if (f->opt_num > ARRAY_SIZE(f->opt))
> > + return -EINVAL;
> > +
>
> Hmm, this isn't enough; as far as I can see there is no validation
> whatsoever.
>
I didn't get it. It guarantees there is no OOB read of the opt array.
> This should also check that all of:
>
> char genre[MAXGENRELEN];
> char version[MAXGENRELEN];
> char subtype[MAXGENRELEN];
>
> ... have a NUL byte. You could use strnlen() == ARRAY_SIZE() -> EINVAL
> for those.
>
I think the correct way would be memchr(genre/version/subtype, 0, MAXGENRELEN).
> Maybe there is more to be validated. I did not followup with all the
> nested structures buried in user_finger struct.
>
I focused on the reported issue mainly because I am unfamiliar with
the Netfilter layer. Let me take a deeper look.