From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Patrick McHardy <kaber@trash.net>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
"David S. Miller" <davem@davemloft.net>,
Sergey Popovich <popovich_sergei@mail.ru>,
Masanari Iida <standby24x7@gmail.com>,
Anton Danilov <littlesmilingcloud@gmail.com>,
stephen hemminger <stephen@networkplumber.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernddel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
Date: Mon, 10 Nov 2014 14:24:46 +0000 [thread overview]
Message-ID: <20141110142446.GA29586@salvia> (raw)
In-Reply-To: <20141107062140.GA10905@mwanda>
On Fri, Nov 07, 2014 at 09:21:40AM +0300, Dan Carpenter wrote:
> We could be reading 8 bytes into a 4 byte buffer here. It seems
> harmless but adding a check is the right thing to do and it silences a
> static checker warning.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index 86f9d76..ac08a3f 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -1863,7 +1863,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
> if (*op < IP_SET_OP_VERSION) {
> /* Check the version at the beginning of operations */
> struct ip_set_req_version *req_version = data;
> - if (req_version->version != IPSET_PROTOCOL) {
> + if (*len < sizeof(struct ip_set_req_version) ||
> + req_version->version != IPSET_PROTOCOL) {
> ret = -EPROTO;
> goto done;
Thanks for catching up this.
From other similar code in that location, I can see Jozsef is using
this pattern:
if (*len != sizeof(struct ip_set_req_version)) {
ret = -EINVAL;
goto done;
}
I think it would be good to stick to that for consistency. Thanks.
WARNING: multiple messages have this Message-ID (diff)
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Patrick McHardy <kaber@trash.net>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
"David S. Miller" <davem@davemloft.net>,
Sergey Popovich <popovich_sergei@mail.ru>,
Masanari Iida <standby24x7@gmail.com>,
Anton Danilov <littlesmilingcloud@gmail.com>,
stephen hemminger <stephen@networkplumber.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernddel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
Date: Mon, 10 Nov 2014 15:24:46 +0100 [thread overview]
Message-ID: <20141110142446.GA29586@salvia> (raw)
In-Reply-To: <20141107062140.GA10905@mwanda>
On Fri, Nov 07, 2014 at 09:21:40AM +0300, Dan Carpenter wrote:
> We could be reading 8 bytes into a 4 byte buffer here. It seems
> harmless but adding a check is the right thing to do and it silences a
> static checker warning.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index 86f9d76..ac08a3f 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -1863,7 +1863,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
> if (*op < IP_SET_OP_VERSION) {
> /* Check the version at the beginning of operations */
> struct ip_set_req_version *req_version = data;
> - if (req_version->version != IPSET_PROTOCOL) {
> + if (*len < sizeof(struct ip_set_req_version) ||
> + req_version->version != IPSET_PROTOCOL) {
> ret = -EPROTO;
> goto done;
Thanks for catching up this.
>From other similar code in that location, I can see Jozsef is using
this pattern:
if (*len != sizeof(struct ip_set_req_version)) {
ret = -EINVAL;
goto done;
}
I think it would be good to stick to that for consistency. Thanks.
next prev parent reply other threads:[~2014-11-10 14:24 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-07 6:21 [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer Dan Carpenter
2014-11-07 6:21 ` Dan Carpenter
2014-11-10 14:24 ` Pablo Neira Ayuso [this message]
2014-11-10 14:24 ` Pablo Neira Ayuso
2014-11-10 14:27 ` Jozsef Kadlecsik
2014-11-10 14:27 ` Jozsef Kadlecsik
2014-11-10 16:11 ` Pablo Neira Ayuso
2014-11-10 16:11 ` Pablo Neira Ayuso
2014-11-10 20:59 ` Jozsef Kadlecsik
2014-11-10 21:00 ` Jozsef Kadlecsik
2014-11-11 13:17 ` Pablo Neira Ayuso
2014-11-11 13:17 ` Pablo Neira Ayuso
2014-11-10 22:38 ` Dan Carpenter
2014-11-10 22:38 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141110142446.GA29586@salvia \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kernel-janitors@vger.kernel.org \
--cc=littlesmilingcloud@gmail.com \
--cc=netdev@vger.kernddel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=popovich_sergei@mail.ru \
--cc=standby24x7@gmail.com \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.