netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kadlec@blackhole.kfki.hu
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org
Subject: re: netfilter: ipset: list:set set type support
Date: Thu, 17 Jul 2014 11:04:52 +0300	[thread overview]
Message-ID: <20140717080452.GA2751@mwanda> (raw)

Hello Jozsef Kadlecsik,

The patch f830837f0eed: "netfilter: ipset: list:set set type support"
from Feb 1, 2011, leads to the following static checker warning:

	net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
	warn: integer overflows 'sizeof(*map) + size * set->dsize'

net/netfilter/ipset/ip_set_list_set.c
   594  init_list_set(struct net *net, struct ip_set *set, u32 size)
   595  {
   596          struct list_set *map;
   597          struct set_elem *e;
   598          u32 i;
   599  
   600          map = kzalloc(sizeof(*map) + size * set->dsize, GFP_KERNEL);
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This can overflow.  size is a number between 4-u32max.

   601          if (!map)
   602                  return false;
   603  
   604          map->size = size;
   605          map->net = net;
   606          set->data = map;
   607  
   608          for (i = 0; i < size; i++) {
   609                  e = list_set_elem(set, map, i);
   610                  e->id = IPSET_INVALID_ID;
   611          }
   612  
   613          return true;
   614  }
   615  
   616  static int
   617  list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
   618                  u32 flags)
   619  {
   620          u32 size = IP_SET_LIST_DEFAULT_SIZE;
   621  
   622          if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_SIZE) ||
   623                       !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
   624                       !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
   625                  return -IPSET_ERR_PROTOCOL;
   626  
   627          if (tb[IPSET_ATTR_SIZE])
   628                  size = ip_set_get_h32(tb[IPSET_ATTR_SIZE]);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
size is set here.

   629          if (size < IP_SET_LIST_MIN_SIZE)
   630                  size = IP_SET_LIST_MIN_SIZE;

There should be a IP_SET_LIST_MAX_SIZE probably, but I don't know what
a reasonable upper bound should be.

   631  
   632          set->variant = &set_variant;
   633          set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem));
   634          if (!init_list_set(net, set, size))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Function call.

   635                  return -ENOMEM;

regards,
dan carpenter

                 reply	other threads:[~2014-07-17  8:05 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140717080452.GA2751@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=coreteam@netfilter.org \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).