summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@linaro.org>2023-11-03 07:42:51 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2023-11-14 16:16:21 +0100
commitc301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 (patch)
tree8affa98af2d39162ba70c261a130b2f8d1a3b7ae /include
parentnetfilter: nf_conntrack_bridge: initialize err to 0 (diff)
downloadlinux-c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63.tar.xz
linux-c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63.zip
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
The problem is in nft_byteorder_eval() where we are iterating through a loop and writing to dst[0], dst[1], dst[2] and so on... On each iteration we are writing 8 bytes. But dst[] is an array of u32 so each element only has space for 4 bytes. That means that every iteration overwrites part of the previous element. I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: nf_tables: prevent OOB access in nft_byteorder_eval") which is a related issue. I think that the reason we have not detected this bug in testing is that most of time we only write one element. Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r--include/net/netfilter/nf_tables.h4
1 files changed, 2 insertions, 2 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 3bbd13ab1ecf..b157c5cafd14 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -178,9 +178,9 @@ static inline __be32 nft_reg_load_be32(const u32 *sreg)
return *(__force __be32 *)sreg;
}
-static inline void nft_reg_store64(u32 *dreg, u64 val)
+static inline void nft_reg_store64(u64 *dreg, u64 val)
{
- put_unaligned(val, (u64 *)dreg);
+ put_unaligned(val, dreg);
}
static inline u64 nft_reg_load64(const u32 *sreg)