diff options
author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2014-09-01 18:58:43 +0200 |
---|---|---|
committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2014-09-01 18:58:43 +0200 |
commit | 49524319b9dd396cfdf04eaf473390e475600d40 (patch) | |
tree | 21af61bb77fd9adb5ed43ec5d4658a027da36320 /kernel | |
parent | 9dda587bec7966949c3a7e01f6e7de1c6899a7b8 (diff) |
Fix static checker warning in ip_set_core.c
Dan Carpenter reported the following static checker warning:
net/netfilter/ipset/ip_set_core.c:1414 call_ad()
error: 'nlh->nlmsg_len' from user is not capped properly
The payload size is limited now by the max size of size_t.
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/net/netfilter/ipset/ip_set_core.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c index 2adf675..807b529 100644 --- a/kernel/net/netfilter/ipset/ip_set_core.c +++ b/kernel/net/netfilter/ipset/ip_set_core.c @@ -1417,7 +1417,8 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set, struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb); struct sk_buff *skb2; struct nlmsgerr *errmsg; - size_t payload = sizeof(*errmsg) + nlmsg_len(nlh); + size_t payload = min(SIZE_MAX, + sizeof(*errmsg) + nlmsg_len(nlh)); int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; struct nlattr *cmdattr; |