On Thu, Aug 31, 2023 at 10:37 AM Florian Westphal [off-list ref] wrote:

Wander Lairson Costa [off-list ref] wrote:

quoted

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 8f1bfa6ccc2d..13fedf2aaa0f 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c

@@ -315,6 +315,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,

      f = nla_data(osf_attrs[OSF_ATTR_FINGER]);

+     if (f->opt_num > ARRAY_SIZE(f->opt))
+             return -EINVAL;
+

Hmm, this isn't enough; as far as I can see there is no validation
whatsoever.

I didn't get it. It guarantees there is no OOB read of the opt array.

This should also check that all of:

 char    genre[MAXGENRELEN];
 char    version[MAXGENRELEN];
 char    subtype[MAXGENRELEN];

... have a NUL byte. You could use strnlen() == ARRAY_SIZE() -> EINVAL
for those.

I think the correct way would be memchr(genre/version/subtype, 0, MAXGENRELEN).

Maybe there is more to be validated. I did not followup with all the
nested structures buried in user_finger struct.

I focused on the reported issue mainly because I am unfamiliar with
the Netfilter layer. Let me take a deeper look.