netfilter: ipset: Fix static checker warning in ip_set_core.c
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Mon, 15 Sep 2014 18:48:26 +0000 (20:48 +0200)
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Mon, 15 Sep 2014 20:20:20 +0000 (22:20 +0200)
Dan Carpenter reported the following static checker warning:

        net/netfilter/ipset/ip_set_core.c:1414 call_ad()
        error: 'nlh->nlmsg_len' from user is not capped properly

The payload size is limited now by the max size of size_t.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
net/netfilter/ipset/ip_set_core.c

index 5593e97426c45cfa47559b5b631f42211ef13cda..4ca4e5ca6f57ba9bc4c96d71fed3c30604175347 100644 (file)
@@ -1397,7 +1397,8 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
                struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
                struct sk_buff *skb2;
                struct nlmsgerr *errmsg;
-               size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
+               size_t payload = min(SIZE_MAX,
+                                    sizeof(*errmsg) + nlmsg_len(nlh));
                int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
                struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
                struct nlattr *cmdattr;