summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@netfilter.org>2021-01-19 08:39:50 +0100
committerJozsef Kadlecsik <kadlec@netfilter.org>2021-01-19 08:39:50 +0100
commita11d65f39b39e573418b4296b22c3dccfd5a4b5c (patch)
tree40ec3a6f75da201642a891d1abb2e039d25ae307
parent637ce45bf221d276cc4b20eb84444e7196b322d5 (diff)
Argument parsing buffer overflow in ipset_parse_argv fixed
Argument length checking was simply missing. Fixes netfilter bugzilla #1492, reported by Marshall Whittaker. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
-rw-r--r--lib/ipset.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/ipset.c b/lib/ipset.c
index 8633491..8ae2b6f 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -949,6 +949,11 @@ ipset_parse_argv(struct ipset *ipset, int oargc, char *oargv[])
int argc = oargc;
char *argv[MAX_ARGS] = {};
+ if (argc > MAX_ARGS)
+ return ipset->custom_error(ipset,
+ p, IPSET_PARAMETER_PROBLEM,
+ "Line is too long to parse.");
+
/* We need a local copy because of ipset_shift_argv */
memcpy(argv, oargv, sizeof(char *) * argc);