iptables: fix memory corruption when parsing nft rules

This commit fixes a memory corruption issue when iptables (with enabled PACKAGECONFIG libnftnl) is used to access rules created by nft. To reproduce the issue: nft add chain ip filter TESTCHAIN { meta mark set 123 \;} iptables -t filter -n -L TESTCHAIN This produced the following output: Chain TESTCHAIN (0 references) target prot opt source destination MARK 0 -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x7b malloc(): corrupted top size Aborted (core dumped) This commit fixes this issue. (From OE-Core rev: fa3873cfcda862d8aad564966070af216e4903c6) Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-29 21:08:42 +01:00 · 2024-07-29 09:54:03 +02:00
parent d672cd4c93
commit 5241a967c1
2 changed files with 38 additions and 0 deletions
--- a/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
+++ b/meta/recipes-extended/iptables/iptables/0005-nft-ruleparse-Add-missing-braces-around-ternary.patch
@@ -0,0 +1,37 @@
+From 2026b08bce7fe87b5964f7912e1eef30f04922c1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 26 Jan 2024 18:43:10 +0100
+Subject: [PATCH] nft: ruleparse: Add missing braces around ternary
+
+The expression evaluated the sum before the ternay, consequently not
+adding target->size if tgsize was zero.
+
+Identified by ASAN for a simple rule using standard target:
+| # ebtables -A INPUT -s de:ad:be:ef:0:00 -j RETURN
+| # ebtables -D INPUT -s de:ad:be:ef:0:00 -j RETURN
+| =================================================================
+| ==18925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000120 at pc 0x7f627a4c75c5 bp 0x7ffe882b5180 sp 0x7ffe882b4928
+| READ of size 8 at 0x603000000120 thread T0
+| [...]
+
+Upstream-Status: Backport [2026b08bce7fe87b5964f7912e1eef30f04922c1]
+
+Fixes: 2a6eee89083c8 ("nft-ruleparse: Introduce nft_create_target()")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft-ruleparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c
+index 0bbdf44faf..3b1cbe4fa1 100644
+--- a/iptables/nft-ruleparse.c
+++ b/iptables/nft-ruleparse.c
+@@ -94,7 +94,7 @@ __nft_create_target(struct nft_xt_ctx *ctx, const char *name, size_t tgsize)
+ 	if (!target)
+ 		return NULL;
+ 
+-	size = XT_ALIGN(sizeof(*target->t)) + tgsize ?: target->size;
+	size = XT_ALIGN(sizeof(*target->t)) + (tgsize ?: target->size);
+ 
+ 	target->t = xtables_calloc(1, size);
+ 	target->t->u.target_size = size;
--- a/meta/recipes-extended/iptables/iptables_1.8.10.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.10.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.xz \
           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
           file://0002-iptables-xshared.h-add-missing-sys.types.h-include.patch \
           file://0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch \
+           file://0005-nft-ruleparse-Add-missing-braces-around-ternary.patch \
           "
 SRC_URI[sha256sum] = "5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c"