From a11d65f39b39e573418b4296b22c3dccfd5a4b5c Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@netfilter.org>
Date: Tue, 19 Jan 2021 08:39:50 +0100
Subject: Argument parsing buffer overflow in ipset_parse_argv fixed

Argument length checking was simply missing. Fixes netfilter
bugzilla #1492, reported by Marshall Whittaker.

Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
 lib/ipset.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/ipset.c b/lib/ipset.c
index 8633491..8ae2b6f 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -949,6 +949,11 @@ ipset_parse_argv(struct ipset *ipset, int oargc, char *oargv[])
 	int argc = oargc;
 	char *argv[MAX_ARGS] = {};
 
+	if (argc > MAX_ARGS)
+		return ipset->custom_error(ipset,
+				p, IPSET_PARAMETER_PROBLEM,
+				"Line is too long to parse.");
+
 	/* We need a local copy because of ipset_shift_argv */
 	memcpy(argv, oargv, sizeof(char *) * argc);
 
-- 
cgit v1.2.3