Validate string type attributes in attr2data()

Otherwise, we are missing checks in some paths, e.g. we might
overrun the buffer used to save the set name in callback_list()
when we strcpy() to it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

diff --git a/lib/session.c b/lib/session.c
index ca96aaa57ea6277e407018c493ecfb89eae4a478..16b5549e73db2c04aacbec6b9e4cf3f65f817972 100644 (file)
--- a/lib/session.c
+++ b/lib/session.c
@@ -678,6 +678,10 @@ attr2data(struct ipset_session *session, struct nlattr *nla[],
                default:
                        break;
                }
+       } else if (attr->type == MNL_TYPE_NUL_STRING) {
+               if (!d || strlen(d) >= attr->len)
+                       FAILURE("Broken kernel message: "
+                               "string type attribute missing or too long!");
        }
 #ifdef IPSET_DEBUG
         else