[pkg-netfilter-team] Bug#1017723: bullseye-pu: package nftables/0.9.8-3.2

Jeremy Sowden jeremy at azazel.net
Sun Sep 4 15:09:10 BST 2022 

On 2022-09-03, at 14:53:45 +0100, Adam D. Barratt wrote:
> On Fri, 2022-08-19 at 16:05 +0100, Jeremy Sowden wrote:
> > The related nftables bug is:
> > 
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359
> > 
> > [ Reason ]
> > nftables uses a fixed-size array containing the locations of the
> > expressions within each rule that it sends to the kernel to provide
> > more informative error-reporting.  If the rule is rejected by the
> > kernel, the kernel will provide an ID for the expression which was
> > responsible, and nftables will use this to highlight it when
> > outputting the rule in the error message:
> > 
> >  # nft add rule t c iif lo reject with icmp 255
> >  Error: Could not process rule: Invalid argument
> >  add rule t c iif lo reject with icmp 255
> >                      ^^^^^^
> > 
> > There is an off-by-one error in the bounds-checking used before
> > adding the details of an expression to this array.  The result of
> > this is that if a rule contains enough expressions, nftables will
> > write past the end of the array leading to memory-corruption and
> > possibly crashes.
> 
> The debdiff is somewhat confusing.
> 
> +nftables (0.9.8-3.2) unstable; urgency=medium
> 
> This is an upload to bullseye, not unstable. Additionally, the version
> should be 0.9.8-3.1+deb11u1.
> 
> + -- Sven Auhagen <sven.auhagen at voleatech.de>  Sat, 16 Jul 2022 11:29:27 +0200
> 
> Who is this? It's obviously not you, but also doesn't appear to be
> related to the nftables bug report you mentioned.

Whoops.  Silly mistakes.  Still learning the ropes.  I've amended the
change-log entry.

I've also added myself to `Uploaders` (I am already listed as one in
testing and unstable).

New debdiff attached.

Thanks for the pointers,

J.
-------------- next part --------------
diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog
--- nftables-0.9.8/debian/changelog	2021-07-20 09:01:47.000000000 +0100
+++ nftables-0.9.8/debian/changelog	2022-09-04 09:34:11.000000000 +0100
@@ -1,3 +1,14 @@
+nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium
+
+  * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
+    It fixes a one off for the check for NFT_NLATTR_LOC_MAX
+    which leads to double free or corruption (out) error.
+    Thanks to Sven Auhagen <sven.auhagen at voleatech.de> for
+    suggesting the fix (closes: #1017359).
+  * d/control: add myself to uploaders.
+
+ -- Jeremy Sowden <jeremy at azazel.net>  Sun, 04 Sep 2022 09:34:11 +0100
+
 nftables (0.9.8-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nftables-0.9.8/debian/control nftables-0.9.8/debian/control
--- nftables-0.9.8/debian/control	2021-07-20 09:01:47.000000000 +0100
+++ nftables-0.9.8/debian/control	2022-09-04 09:34:11.000000000 +0100
@@ -2,7 +2,8 @@
 Section: net
 Priority: important
 Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team at lists.alioth.debian.org>
-Uploaders: Arturo Borrero Gonzalez <arturo at debian.org>
+Uploaders: Arturo Borrero Gonzalez <arturo at debian.org>,
+           Jeremy Sowden <jeremy at azazel.net>
 Build-Depends: asciidoc-base,
                automake,
                bison,
diff -Nru nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
--- nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch	1970-01-01 01:00:00.000000000 +0100
+++ nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch	2022-09-04 09:26:53.000000000 +0100
@@ -0,0 +1,32 @@
+From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil at nwl.cc>
+Date: Fri, 11 Jun 2021 17:08:34 +0200
+Subject: rule: Fix for potential off-by-one in cmd_add_loc()
+
+Using num_attrs as index means it must be at max one less than the
+array's size at function start.
+
+Fixes: 27362a5bfa433 ("rule: larger number of error locations")
+Signed-off-by: Phil Sutter <phil at nwl.cc>
+---
+ src/rule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+(limited to 'src/rule.c')
+
+diff --git a/src/rule.c b/src/rule.c
+index dbbe744e..92daf2f3 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
+ 
+ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
+ {
+-	if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
++	if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
+ 		return;
+ 
+ 	cmd->attr[cmd->num_attrs].offset = offset;
+-- 
+cgit v1.2.3
+
diff -Nru nftables-0.9.8/debian/patches/series nftables-0.9.8/debian/patches/series
--- nftables-0.9.8/debian/patches/series	2021-07-20 09:01:47.000000000 +0100
+++ nftables-0.9.8/debian/patches/series	2022-09-04 09:26:53.000000000 +0100
@@ -1 +1,2 @@
 payload-check-icmp-dependency-before-removing-previo.patch
+rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20220904/9371836c/attachment.sig>

More information about the pkg-netfilter-team mailing list