All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kadlec@blackhole.kfki.hu
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: re: netfilter: ipset: list:set set type support
Date: Thu, 17 Jul 2014 11:04:52 +0300	[thread overview]
Message-ID: <20140717080452.GA2751@mwanda> (raw)

Hello Jozsef Kadlecsik,

The patch f830837f0eed: "netfilter: ipset: list:set set type support"
from Feb 1, 2011, leads to the following static checker warning:

	net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
	warn: integer overflows 'sizeof(*map) + size * set->dsize'

net/netfilter/ipset/ip_set_list_set.c
   594  init_list_set(struct net *net, struct ip_set *set, u32 size)
   595  {
   596          struct list_set *map;
   597          struct set_elem *e;
   598          u32 i;
   599  
   600          map = kzalloc(sizeof(*map) + size * set->dsize, GFP_KERNEL);
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This can overflow.  size is a number between 4-u32max.

   601          if (!map)
   602                  return false;
   603  
   604          map->size = size;
   605          map->net = net;
   606          set->data = map;
   607  
   608          for (i = 0; i < size; i++) {
   609                  e = list_set_elem(set, map, i);
   610                  e->id = IPSET_INVALID_ID;
   611          }
   612  
   613          return true;
   614  }
   615  
   616  static int
   617  list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
   618                  u32 flags)
   619  {
   620          u32 size = IP_SET_LIST_DEFAULT_SIZE;
   621  
   622          if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_SIZE) ||
   623                       !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
   624                       !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
   625                  return -IPSET_ERR_PROTOCOL;
   626  
   627          if (tb[IPSET_ATTR_SIZE])
   628                  size = ip_set_get_h32(tb[IPSET_ATTR_SIZE]);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
size is set here.

   629          if (size < IP_SET_LIST_MIN_SIZE)
   630                  size = IP_SET_LIST_MIN_SIZE;

There should be a IP_SET_LIST_MAX_SIZE probably, but I don't know what
a reasonable upper bound should be.

   631  
   632          set->variant = &set_variant;
   633          set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem));
   634          if (!init_list_set(net, set, size))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Function call.

   635                  return -ENOMEM;

regards,
dan carpenter

                 reply	other threads:[~2014-07-17  8:05 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140717080452.GA2751@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=coreteam@netfilter.org \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.