From: Pablo Neira Ayuso <pablo@netfilter.org>
To: David Baum <davidbaum461@gmail.com>
Cc: fw@strlen.de, phil@nwl.cc, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: ipset: harden payload calculation in call_ad()
Date: Fri, 10 Apr 2026 03:19:04 +0200 [thread overview]
Message-ID: <adhQCKL9nO68m4nC@chamomile> (raw)
In-Reply-To: <adhMzvFhTcmTMZTV@chamomile>
On Fri, Apr 10, 2026 at 03:05:18AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Mar 13, 2026 at 01:01:32PM -0500, David Baum wrote:
> > call_ad() computes the netlink error payload size with
> > min(SIZE_MAX, sizeof(*errmsg) + nlmsg_len(nlh)), but min(SIZE_MAX, x)
> > is always x, so the guard is a no-op.
> >
> > Replace it with an explicit negative-length check and
> > check_add_overflow() so the addition is validated before being passed
> > to nlmsg_new().
> >
> > Signed-off-by: David Baum <davidbaum461@gmail.com>
> > ---
> > net/netfilter/ipset/ip_set_core.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> > index a2fe711cb5e3..11d3854d9b11 100644
> > --- a/net/netfilter/ipset/ip_set_core.c
> > +++ b/net/netfilter/ipset/ip_set_core.c
> > @@ -10,6 +10,7 @@
> > #include <linux/module.h>
> > #include <linux/moduleparam.h>
> > #include <linux/ip.h>
> > +#include <linux/overflow.h>
> > #include <linux/skbuff.h>
> > #include <linux/spinlock.h>
> > #include <linux/rculist.h>
> > @@ -1763,13 +1764,18 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
> > struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
> > struct sk_buff *skb2;
> > struct nlmsgerr *errmsg;
> > - size_t payload = min(SIZE_MAX,
> > - sizeof(*errmsg) + nlmsg_len(nlh));
> > + int nlmsg_payload_len = nlmsg_len(nlh);
> > + size_t payload;
> > int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
> > struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
> > struct nlattr *cmdattr;
> > u32 *errline;
> >
> > + if (nlmsg_payload_len < 0 ||
>
> Hm, nlh was already sanitized by nfnetlink?
>
> > + check_add_overflow(sizeof(*errmsg),
> > + (size_t)nlmsg_payload_len, &payload))
>
> Maybe cap this to int:
>
> int payload = sizeof(struct nlmsgerr);
> ...
>
> if (check_add_overflow(payload, nlmsg_payload_len, &payload))
Wait, then payload and nlmsg_payload_len should be __u32, not int.
>
> > + return -ENOMEM;
> > +
> > skb2 = nlmsg_new(payload, GFP_KERNEL);
> > if (!skb2)
> > return -ENOMEM;
>
prev parent reply other threads:[~2026-04-10 1:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 18:01 [PATCH] netfilter: ipset: harden payload calculation in call_ad() David Baum
2026-04-10 1:05 ` Pablo Neira Ayuso
2026-04-10 1:19 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adhQCKL9nO68m4nC@chamomile \
--to=pablo@netfilter.org \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=davidbaum461@gmail.com \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox