On Tue, Jun 24, 2025 at 11:01:13PM +0200, Florian Westphal wrote: > There is a stack oob read access in netlink_gen_chain(): > > mpz_export_data(chain, expr->chain->value, > BYTEORDER_HOST_ENDIAN, len); > snprintf(data->chain, NFT_CHAIN_MAXNAMELEN, "%s", chain); > > There is no guarantee that chain[] is null terminated, so snprintf > can read past chain[] array. ASAN report is: > > AddressSanitizer: stack-buffer-overflow on address 0x7ffff5f00520 at .. > READ of size 257 at 0x7ffff5f00520 thread T0 > #0 0x00000032ffb6 in printf_common(void*, char const*, __va_list_tag*) (src/nft+0x32ffb6) > #1 0x00000033055d in vsnprintf (src/nft+0x33055d) > #2 0x000000332071 in snprintf (src/nft+0x332071) > #3 0x0000004eef03 in netlink_gen_chain src/netlink.c:454:2 > #4 0x0000004eef03 in netlink_gen_verdict src/netlink.c:467:4 > > Reject chain jumps that exceed 255 characters, which matches the netlink > policy on the kernel side. > > The included reproducer fails without asan too because the kernel will > reject the too-long chain name. But that happens after the asan detected > bogus read. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
