From: Pablo Neira Ayuso <pablo@netfilter.org>
To: David Baum <davidbaum461@gmail.com>
Cc: fw@strlen.de, phil@nwl.cc, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: ipset: harden payload calculation in call_ad()
Date: Fri, 10 Apr 2026 03:05:18 +0200 [thread overview]
Message-ID: <adhMzvFhTcmTMZTV@chamomile> (raw)
In-Reply-To: <20260313180132.75655-1-davidbaum461@gmail.com>
On Fri, Mar 13, 2026 at 01:01:32PM -0500, David Baum wrote:
> call_ad() computes the netlink error payload size with
> min(SIZE_MAX, sizeof(*errmsg) + nlmsg_len(nlh)), but min(SIZE_MAX, x)
> is always x, so the guard is a no-op.
>
> Replace it with an explicit negative-length check and
> check_add_overflow() so the addition is validated before being passed
> to nlmsg_new().
>
> Signed-off-by: David Baum <davidbaum461@gmail.com>
> ---
> net/netfilter/ipset/ip_set_core.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index a2fe711cb5e3..11d3854d9b11 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -10,6 +10,7 @@
> #include <linux/module.h>
> #include <linux/moduleparam.h>
> #include <linux/ip.h>
> +#include <linux/overflow.h>
> #include <linux/skbuff.h>
> #include <linux/spinlock.h>
> #include <linux/rculist.h>
> @@ -1763,13 +1764,18 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
> struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
> struct sk_buff *skb2;
> struct nlmsgerr *errmsg;
> - size_t payload = min(SIZE_MAX,
> - sizeof(*errmsg) + nlmsg_len(nlh));
> + int nlmsg_payload_len = nlmsg_len(nlh);
> + size_t payload;
> int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
> struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
> struct nlattr *cmdattr;
> u32 *errline;
>
> + if (nlmsg_payload_len < 0 ||
Hm, nlh was already sanitized by nfnetlink?
> + check_add_overflow(sizeof(*errmsg),
> + (size_t)nlmsg_payload_len, &payload))
Maybe cap this to int:
int payload = sizeof(struct nlmsgerr);
...
if (check_add_overflow(payload, nlmsg_payload_len, &payload))
> + return -ENOMEM;
> +
> skb2 = nlmsg_new(payload, GFP_KERNEL);
> if (!skb2)
> return -ENOMEM;
next prev parent reply other threads:[~2026-04-10 1:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 18:01 [PATCH] netfilter: ipset: harden payload calculation in call_ad() David Baum
2026-04-10 1:05 ` Pablo Neira Ayuso [this message]
2026-04-10 1:19 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adhMzvFhTcmTMZTV@chamomile \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=davidbaum461@gmail.com \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox