From 4c16de1a51928ee023199195652ed90ce0fd5950 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Fri, 31 Aug 2018 11:43:39 +0200
Subject: Validate string type attributes in attr2data()

Otherwise, we are missing checks in some paths, e.g. we might
overrun the buffer used to save the set name in callback_list()
when we strcpy() to it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 lib/session.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib')

diff --git a/lib/session.c b/lib/session.c
index ca96aaa..16b5549 100644
--- a/lib/session.c
+++ b/lib/session.c
@@ -678,6 +678,10 @@ attr2data(struct ipset_session *session, struct nlattr *nla[],
 		default:
 			break;
 		}
+	} else if (attr->type == MNL_TYPE_NUL_STRING) {
+		if (!d || strlen(d) >= attr->len)
+			FAILURE("Broken kernel message: "
+				"string type attribute missing or too long!");
 	}
 #ifdef IPSET_DEBUG
 	 else
-- 
cgit v1.2.3