Read the report closer, its a buffer overflow because the buffer overflow check failed due to:
"
Effectively this implies that the compiler is free to emit code that
operates on `reg` as if it were a 32-bit value. If this is the case (and
it is on the kernel I tested), a user can forge an expression register
value that will overflow upon multiplication with `NFT_REG32_SIZE` (4)
and upon addition with `len`, will be a value smaller than
`sizeof_field(struct nft_regs, data)` (0x50). Once this check passes,
the least significant byte of `reg` can still contain a value that will
index outside of the bounds of the `struct nft_regs regs` that it will
later be used with.
"
Which is the classic way to exploit integer overflow to bypass buffer checks (i've personally written code like this, which thankfully was caught before it got this far).
Did you try to contradict? You only confirm that the bug is buffer overflow. Take any language with bound checking, you won't be able to reproduce this bug there by merely overflowing integers.
"
Effectively this implies that the compiler is free to emit code that operates on `reg` as if it were a 32-bit value. If this is the case (and it is on the kernel I tested), a user can forge an expression register value that will overflow upon multiplication with `NFT_REG32_SIZE` (4) and upon addition with `len`, will be a value smaller than `sizeof_field(struct nft_regs, data)` (0x50). Once this check passes, the least significant byte of `reg` can still contain a value that will index outside of the bounds of the `struct nft_regs regs` that it will later be used with. "
Which is the classic way to exploit integer overflow to bypass buffer checks (i've personally written code like this, which thankfully was caught before it got this far).