Commit bf58e667 authored Jul 18, 2025 by Florian Westphal Committed by Pablo Neira Ayuso Jul 25, 2025

netfilter: xt_nfacct: don't assume acct name is null-terminated



BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721
Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851
[..]
 string+0x231/0x2b0 lib/vsprintf.c:721
 vsnprintf+0x739/0xf00 lib/vsprintf.c:2874
 [..]
 nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41
 xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523

nfnl_acct_find_get() handles non-null input, but the error
printk relied on its presence.

Reported-by:  <syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690


Tested-by:  <syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com>
Fixes: ceb98d03 ("netfilter: xtables: add nfacct match to support extended accounting")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 897eefee

net/netfilter/xt_nfacct.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -38,8 +38,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)

		nfacct = nfnl_acct_find_get(par->net, info->name);
		if (nfacct == NULL) {
		pr_info_ratelimited("accounting object `%s' does not exists\n",
		info->name);
		pr_info_ratelimited("accounting object `%.*s' does not exist\n",
		NFACCT_NAME_MAX, info->name);
		return -ENOENT;
		}
		info->nfacct = nfacct;