]> granicus.if.org Git - ipset/commitdiff
netfilter: ipset: small potential read beyond the end of buffer
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 18 Nov 2014 08:55:17 +0000 (09:55 +0100)
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tue, 18 Nov 2014 08:55:17 +0000 (09:55 +0100)
We could be reading 8 bytes into a 4 byte buffer here.  It seems
harmless but adding a check is the right thing to do and it silences a
static checker warning.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
kernel/net/netfilter/ipset/ip_set_core.c

index 872f71e3e1edc9edcf7778c15a7cd17cc9e3837c..c2f4b17025a11fcab909ff1b3b1367b395a52de2 100644 (file)
@@ -1892,6 +1892,11 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
                /* Check the version at the beginning of operations */
                struct ip_set_req_version *req_version = data;
 
+               if (*len < sizeof(struct ip_set_req_version)) {
+                       ret = -EINVAL;
+                       goto done;
+               }
+
                if (req_version->version != IPSET_PROTOCOL) {
                        ret = -EPROTO;
                        goto done;