[iproute2] tc: em_u32: fix offset parsing

Commit Message

Andrea Claudi May 6, 2022, 8:11 p.m. UTC

tc u32 ematch offset parsing might fail even if nexthdr offset is
aligned to 4. The issue can be reproduced with the following script:

tc qdisc del dev dummy0 root
tc qdisc add dev dummy0 root handle 1: htb r2q 1 default 1
tc class add dev dummy0 parent 1:1 classid 1:108 htb quantum 1000000 \
	rate 1.00mbit ceil 10.00mbit burst 6k

while true; do
if ! tc filter add dev dummy0 protocol all parent 1: prio 1 basic match \
	"meta(vlan mask 0xfff eq 1)" and "u32(u32 0x20011002 0xffffffff \
	at nexthdr+8)" flowid 1:108; then
		exit 0
fi
done

which we expect to produce an endless loop.
With the current code, instead, this ends with:

u32: invalid offset alignment, must be aligned to 4.
... meta(vlan mask 0xfff eq 1) and >>u32(u32 0x20011002 0xffffffff at nexthdr+8)<< ...
... u32(u32 0x20011002 0xffffffff at >>nexthdr+8<<)...
Usage: u32(ALIGN VALUE MASK at [ nexthdr+ ] OFFSET)
where: ALIGN  := { u8 | u16 | u32 }

Example: u32(u16 0x1122 0xffff at nexthdr+4)
Illegal "ematch"

This is caused by memcpy copying into buf an unterminated string.

Fix it using strncpy instead of memcpy.

Fixes: commit 311b41454dc4 ("Add new extended match files.")
Reported-by: Alfred Yang <alf.redyoung@gmail.com>
Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
---
 tc/em_u32.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/tc/em_u32.c b/tc/em_u32.c
index bc284af4..ea2bf882 100644
--- a/tc/em_u32.c
+++ b/tc/em_u32.c
@@ -84,7 +84,7 @@  static int u32_parse_eopt(struct nlmsghdr *n, struct tcf_ematch_hdr *hdr,
 		char buf[a->len - nh_len + 1];
 
 		offmask = -1;
-		memcpy(buf, a->data + nh_len, a->len - nh_len);
+		strncpy(buf, a->data + nh_len, a->len - nh_len + 1);
 		offset = strtoul(buf, NULL, 0);
 	} else if (!bstrcmp(a, "nexthdr+")) {
 		a = bstr_next(a);