From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Patrick McHardy <kaber@trash.net>,
"David S. Miller" <davem@davemloft.net>,
Sergey Popovich <popovich_sergei@mail.ru>,
Masanari Iida <standby24x7@gmail.com>,
Anton Danilov <littlesmilingcloud@gmail.com>,
stephen hemminger <stephen@networkplumber.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernddel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
Date: Mon, 10 Nov 2014 16:11:21 +0000 [thread overview]
Message-ID: <20141110161121.GA7398@salvia> (raw)
In-Reply-To: <alpine.DEB.2.10.1411101526480.2913@blackhole.kfki.hu>
[-- Attachment #1: Type: text/plain, Size: 653 bytes --]
On Mon, Nov 10, 2014 at 03:27:51PM +0100, Jozsef Kadlecsik wrote:
> On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
> > >From other similar code in that location, I can see Jozsef is using
> > this pattern:
> >
> > if (*len != sizeof(struct ip_set_req_version)) {
> > ret = -EINVAL;
> > goto done;
> > }
> >
> > I think it would be good to stick to that for consistency. Thanks.
>
> Absolutely, yes.
>
> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
OK, then does this look fine to you? I took over Dan's patch and gave
it another spin. See it attached, thanks.
[-- Attachment #2: 0001-netfilter-ipset-small-potential-read-beyond-the-end-.patch --]
[-- Type: text/x-diff, Size: 1221 bytes --]
From d67bad383d4ea9dea8872e3999324ccbeb2a5815 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 7 Nov 2014 09:21:40 +0300
Subject: [PATCH] netfilter: ipset: small potential read beyond the end of
buffer
We could be reading 8 bytes into a 4 byte buffer here. It seems
harmless but adding a check is the right thing to do and it silences a
static checker warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86f9d76..d259da3 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1863,6 +1863,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
if (*op < IP_SET_OP_VERSION) {
/* Check the version at the beginning of operations */
struct ip_set_req_version *req_version = data;
+
+ if (*len < sizeof(struct ip_set_req_version)) {
+ ret = -EINVAL;
+ goto done;
+ }
+
if (req_version->version != IPSET_PROTOCOL) {
ret = -EPROTO;
goto done;
--
1.7.10.4
WARNING: multiple messages have this Message-ID (diff)
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Patrick McHardy <kaber@trash.net>,
"David S. Miller" <davem@davemloft.net>,
Sergey Popovich <popovich_sergei@mail.ru>,
Masanari Iida <standby24x7@gmail.com>,
Anton Danilov <littlesmilingcloud@gmail.com>,
stephen hemminger <stephen@networkplumber.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernddel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
Date: Mon, 10 Nov 2014 17:11:21 +0100 [thread overview]
Message-ID: <20141110161121.GA7398@salvia> (raw)
In-Reply-To: <alpine.DEB.2.10.1411101526480.2913@blackhole.kfki.hu>
[-- Attachment #1: Type: text/plain, Size: 653 bytes --]
On Mon, Nov 10, 2014 at 03:27:51PM +0100, Jozsef Kadlecsik wrote:
> On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
> > >From other similar code in that location, I can see Jozsef is using
> > this pattern:
> >
> > if (*len != sizeof(struct ip_set_req_version)) {
> > ret = -EINVAL;
> > goto done;
> > }
> >
> > I think it would be good to stick to that for consistency. Thanks.
>
> Absolutely, yes.
>
> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
OK, then does this look fine to you? I took over Dan's patch and gave
it another spin. See it attached, thanks.
[-- Attachment #2: 0001-netfilter-ipset-small-potential-read-beyond-the-end-.patch --]
[-- Type: text/x-diff, Size: 1222 bytes --]
>From d67bad383d4ea9dea8872e3999324ccbeb2a5815 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 7 Nov 2014 09:21:40 +0300
Subject: [PATCH] netfilter: ipset: small potential read beyond the end of
buffer
We could be reading 8 bytes into a 4 byte buffer here. It seems
harmless but adding a check is the right thing to do and it silences a
static checker warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86f9d76..d259da3 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1863,6 +1863,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
if (*op < IP_SET_OP_VERSION) {
/* Check the version at the beginning of operations */
struct ip_set_req_version *req_version = data;
+
+ if (*len < sizeof(struct ip_set_req_version)) {
+ ret = -EINVAL;
+ goto done;
+ }
+
if (req_version->version != IPSET_PROTOCOL) {
ret = -EPROTO;
goto done;
--
1.7.10.4
next prev parent reply other threads:[~2014-11-10 16:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-07 6:21 [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer Dan Carpenter
2014-11-07 6:21 ` Dan Carpenter
2014-11-10 14:24 ` Pablo Neira Ayuso
2014-11-10 14:24 ` Pablo Neira Ayuso
2014-11-10 14:27 ` Jozsef Kadlecsik
2014-11-10 14:27 ` Jozsef Kadlecsik
2014-11-10 16:11 ` Pablo Neira Ayuso [this message]
2014-11-10 16:11 ` Pablo Neira Ayuso
2014-11-10 20:59 ` Jozsef Kadlecsik
2014-11-10 21:00 ` Jozsef Kadlecsik
2014-11-11 13:17 ` Pablo Neira Ayuso
2014-11-11 13:17 ` Pablo Neira Ayuso
2014-11-10 22:38 ` Dan Carpenter
2014-11-10 22:38 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141110161121.GA7398@salvia \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kernel-janitors@vger.kernel.org \
--cc=littlesmilingcloud@gmail.com \
--cc=netdev@vger.kernddel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=popovich_sergei@mail.ru \
--cc=standby24x7@gmail.com \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.