netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
authorDan Carpenter <dan.carpenter@linaro.org>
Fri, 3 Nov 2023 06:42:51 +0000 (09:42 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 28 Nov 2023 17:07:05 +0000 (17:07 +0000)
commit18a169810cff769a7a697b35058c756805f589e0
treecb05a7e725398006e5aa433d6c58488f512ff00f
parent6a15d971040e86f304cf2f407dff77abf73a59b7
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()

[ Upstream commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 ]

The problem is in nft_byteorder_eval() where we are iterating through a
loop and writing to dst[0], dst[1], dst[2] and so on...  On each
iteration we are writing 8 bytes.  But dst[] is an array of u32 so each
element only has space for 4 bytes.  That means that every iteration
overwrites part of the previous element.

I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
issue.  I think that the reason we have not detected this bug in testing
is that most of time we only write one element.

Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
include/net/netfilter/nf_tables.h
net/netfilter/nft_byteorder.c
net/netfilter/nft_meta.c