]> granicus.if.org Git - ipset/commitdiff
Fix warn: integer overflows 'sizeof(*map) + size * set->dsize'
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tue, 5 Aug 2014 20:02:34 +0000 (22:02 +0200)
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tue, 5 Aug 2014 20:02:34 +0000 (22:02 +0200)
Dan Carpenter reported that the static checker emits the warning

        net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
        warn: integer overflows 'sizeof(*map) + size * set->dsize'

Limit the maximal number of elements in list type of sets.

kernel/include/linux/netfilter/ipset/ip_set_list.h
kernel/net/netfilter/ipset/ip_set_list_set.c

index 68c2aea897f593664dd9d0ab7131b1defd0a9265..fe2622a001516f382b71246dd7d9b68ec4f8b094 100644 (file)
@@ -6,5 +6,6 @@
 
 #define IP_SET_LIST_DEFAULT_SIZE       8
 #define IP_SET_LIST_MIN_SIZE           4
+#define IP_SET_LIST_MAX_SIZE           65536
 
 #endif /* __IP_SET_LIST_H */
index 3e2317f3cf68625848edf5bc1d270b37d7d2af51..f87adbad607696d12f01a6444378bcd5423abb2c 100644 (file)
@@ -597,7 +597,9 @@ init_list_set(struct net *net, struct ip_set *set, u32 size)
        struct set_elem *e;
        u32 i;
 
-       map = kzalloc(sizeof(*map) + size * set->dsize, GFP_KERNEL);
+       map = kzalloc(sizeof(*map) +
+                     min_t(u32, size, IP_SET_LIST_MAX_SIZE) * set->dsize,
+                     GFP_KERNEL);
        if (!map)
                return false;