On 2022-09-04, at 15:09:10 +0100, Jeremy Sowden wrote: > On 2022-09-03, at 14:53:45 +0100, Adam D. Barratt wrote: > > On Fri, 2022-08-19 at 16:05 +0100, Jeremy Sowden wrote: > > > The related nftables bug is: > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017359 > > > > > > [ Reason ] > > > nftables uses a fixed-size array containing the locations of the > > > expressions within each rule that it sends to the kernel to provide > > > more informative error-reporting. If the rule is rejected by the > > > kernel, the kernel will provide an ID for the expression which was > > > responsible, and nftables will use this to highlight it when > > > outputting the rule in the error message: > > > > > > # nft add rule t c iif lo reject with icmp 255 > > > Error: Could not process rule: Invalid argument > > > add rule t c iif lo reject with icmp 255 > > > ^^^^^^ > > > > > > There is an off-by-one error in the bounds-checking used before > > > adding the details of an expression to this array. The result of > > > this is that if a rule contains enough expressions, nftables will > > > write past the end of the array leading to memory-corruption and > > > possibly crashes. > > > > The debdiff is somewhat confusing. > > > > +nftables (0.9.8-3.2) unstable; urgency=medium > > > > This is an upload to bullseye, not unstable. Additionally, the version > > should be 0.9.8-3.1+deb11u1. > > > > + -- Sven Auhagen <sven.auhagen@voleatech.de> Sat, 16 Jul 2022 11:29:27 +0200 > > > > Who is this? It's obviously not you, but also doesn't appear to be > > related to the nftables bug report you mentioned. > > Whoops. Silly mistakes. Still learning the ropes. I've amended the > change-log entry. > > I've also added myself to `Uploaders` (I am already listed as one in > testing and unstable). > > New debdiff attached. Is there anything more I can to do to get a decision on this bug? Or do I just need to be more patient? :) J. > diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog > --- nftables-0.9.8/debian/changelog 2021-07-20 09:01:47.000000000 +0100 > +++ nftables-0.9.8/debian/changelog 2022-09-04 09:34:11.000000000 +0100 > @@ -1,3 +1,14 @@ > +nftables (0.9.8-3.1+deb11u1) bullseye; urgency=medium > + > + * d/p/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch > + It fixes a one off for the check for NFT_NLATTR_LOC_MAX > + which leads to double free or corruption (out) error. > + Thanks to Sven Auhagen <sven.auhagen@voleatech.de> for > + suggesting the fix (closes: #1017359). > + * d/control: add myself to uploaders. > + > + -- Jeremy Sowden <jeremy@azazel.net> Sun, 04 Sep 2022 09:34:11 +0100 > + > nftables (0.9.8-3.1) unstable; urgency=medium > > * Non-maintainer upload. > diff -Nru nftables-0.9.8/debian/control nftables-0.9.8/debian/control > --- nftables-0.9.8/debian/control 2021-07-20 09:01:47.000000000 +0100 > +++ nftables-0.9.8/debian/control 2022-09-04 09:34:11.000000000 +0100 > @@ -2,7 +2,8 @@ > Section: net > Priority: important > Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org> > -Uploaders: Arturo Borrero Gonzalez <arturo@debian.org> > +Uploaders: Arturo Borrero Gonzalez <arturo@debian.org>, > + Jeremy Sowden <jeremy@azazel.net> > Build-Depends: asciidoc-base, > automake, > bison, > diff -Nru nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch > --- nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch 1970-01-01 01:00:00.000000000 +0100 > +++ nftables-0.9.8/debian/patches/rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch 2022-09-04 09:26:53.000000000 +0100 > @@ -0,0 +1,32 @@ > +From 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd Mon Sep 17 00:00:00 2001 > +From: Phil Sutter <phil@nwl.cc> > +Date: Fri, 11 Jun 2021 17:08:34 +0200 > +Subject: rule: Fix for potential off-by-one in cmd_add_loc() > + > +Using num_attrs as index means it must be at max one less than the > +array's size at function start. > + > +Fixes: 27362a5bfa433 ("rule: larger number of error locations") > +Signed-off-by: Phil Sutter <phil@nwl.cc> > +--- > + src/rule.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +(limited to 'src/rule.c') > + > +diff --git a/src/rule.c b/src/rule.c > +index dbbe744e..92daf2f3 100644 > +--- a/src/rule.c > ++++ b/src/rule.c > +@@ -1275,7 +1275,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, > + > + void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc) > + { > +- if (cmd->num_attrs > NFT_NLATTR_LOC_MAX) > ++ if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX) > + return; > + > + cmd->attr[cmd->num_attrs].offset = offset; > +-- > +cgit v1.2.3 > + > diff -Nru nftables-0.9.8/debian/patches/series nftables-0.9.8/debian/patches/series > --- nftables-0.9.8/debian/patches/series 2021-07-20 09:01:47.000000000 +0100 > +++ nftables-0.9.8/debian/patches/series 2022-09-04 09:26:53.000000000 +0100 > @@ -1 +1,2 @@ > payload-check-icmp-dependency-before-removing-previo.patch > +rule_fix_for_potential_off-by-one_in_cmd_add_loc.patch
Attachment:
signature.asc
Description: PGP signature