From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 21 Oct 2014 16:18:14 +0000 (+0200)
Subject: netfilter: ipset: off by one in ip_set_nfnl_get_byindex()
X-Git-Tag: v6.24~23
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=149294b1ab29cfa607239a63ea20f0be2351bdd4;p=ipset

netfilter: ipset: off by one in ip_set_nfnl_get_byindex()

The ->ip_set_list[] array is initialized in ip_set_net_init() and it
has ->ip_set_max elements so this check should be >= instead of >
otherwise we are off by one.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---

diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c
index e14255f..b3aead3 100644
--- a/kernel/net/netfilter/ipset/ip_set_core.c
+++ b/kernel/net/netfilter/ipset/ip_set_core.c
@@ -668,7 +668,7 @@ ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index)
 	struct ip_set *set;
 	struct ip_set_net *inst = ip_set_pernet(net);
 
-	if (index > inst->ip_set_max)
+	if (index >= inst->ip_set_max)
 		return IPSET_INVALID_ID;
 
 	lock_nfnl();