* [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
@ 2014-11-07 6:21 Dan Carpenter
2014-11-10 14:24 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2014-11-07 6:21 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Patrick McHardy, Jozsef Kadlecsik, David S. Miller,
Sergey Popovich, Masanari Iida, Anton Danilov, stephen hemminger,
netfilter-devel, coreteam, netdev, kernel-janitors
We could be reading 8 bytes into a 4 byte buffer here. It seems
harmless but adding a check is the right thing to do and it silences a
static checker warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86f9d76..ac08a3f 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1863,7 +1863,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
if (*op < IP_SET_OP_VERSION) {
/* Check the version at the beginning of operations */
struct ip_set_req_version *req_version = data;
- if (req_version->version != IPSET_PROTOCOL) {
+ if (*len < sizeof(struct ip_set_req_version) ||
+ req_version->version != IPSET_PROTOCOL) {
ret = -EPROTO;
goto done;
}
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
2014-11-07 6:21 [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer Dan Carpenter
@ 2014-11-10 14:24 ` Pablo Neira Ayuso
2014-11-10 14:27 ` Jozsef Kadlecsik
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-10 14:24 UTC (permalink / raw)
To: Dan Carpenter
Cc: Patrick McHardy, Jozsef Kadlecsik, David S. Miller,
Sergey Popovich, Masanari Iida, Anton Danilov, stephen hemminger,
netfilter-devel, coreteam, netdev, kernel-janitors
On Fri, Nov 07, 2014 at 09:21:40AM +0300, Dan Carpenter wrote:
> We could be reading 8 bytes into a 4 byte buffer here. It seems
> harmless but adding a check is the right thing to do and it silences a
> static checker warning.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index 86f9d76..ac08a3f 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -1863,7 +1863,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
> if (*op < IP_SET_OP_VERSION) {
> /* Check the version at the beginning of operations */
> struct ip_set_req_version *req_version = data;
> - if (req_version->version != IPSET_PROTOCOL) {
> + if (*len < sizeof(struct ip_set_req_version) ||
> + req_version->version != IPSET_PROTOCOL) {
> ret = -EPROTO;
> goto done;
Thanks for catching up this.
>From other similar code in that location, I can see Jozsef is using
this pattern:
if (*len != sizeof(struct ip_set_req_version)) {
ret = -EINVAL;
goto done;
}
I think it would be good to stick to that for consistency. Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
2014-11-10 14:24 ` Pablo Neira Ayuso
@ 2014-11-10 14:27 ` Jozsef Kadlecsik
2014-11-10 16:11 ` Pablo Neira Ayuso
0 siblings, 1 reply; 7+ messages in thread
From: Jozsef Kadlecsik @ 2014-11-10 14:27 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Dan Carpenter, Patrick McHardy, David S. Miller, Sergey Popovich,
Masanari Iida, Anton Danilov, stephen hemminger, netfilter-devel,
coreteam, netdev, kernel-janitors
On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
> On Fri, Nov 07, 2014 at 09:21:40AM +0300, Dan Carpenter wrote:
> > We could be reading 8 bytes into a 4 byte buffer here. It seems
> > harmless but adding a check is the right thing to do and it silences a
> > static checker warning.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> > index 86f9d76..ac08a3f 100644
> > --- a/net/netfilter/ipset/ip_set_core.c
> > +++ b/net/netfilter/ipset/ip_set_core.c
> > @@ -1863,7 +1863,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
> > if (*op < IP_SET_OP_VERSION) {
> > /* Check the version at the beginning of operations */
> > struct ip_set_req_version *req_version = data;
> > - if (req_version->version != IPSET_PROTOCOL) {
> > + if (*len < sizeof(struct ip_set_req_version) ||
> > + req_version->version != IPSET_PROTOCOL) {
> > ret = -EPROTO;
> > goto done;
>
> Thanks for catching up this.
>
> >From other similar code in that location, I can see Jozsef is using
> this pattern:
>
> if (*len != sizeof(struct ip_set_req_version)) {
> ret = -EINVAL;
> goto done;
> }
>
> I think it would be good to stick to that for consistency. Thanks.
Absolutely, yes.
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
2014-11-10 14:27 ` Jozsef Kadlecsik
@ 2014-11-10 16:11 ` Pablo Neira Ayuso
2014-11-10 21:00 ` Jozsef Kadlecsik
2014-11-10 22:38 ` Dan Carpenter
0 siblings, 2 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-10 16:11 UTC (permalink / raw)
To: Jozsef Kadlecsik
Cc: Dan Carpenter, Patrick McHardy, David S. Miller, Sergey Popovich,
Masanari Iida, Anton Danilov, stephen hemminger, netfilter-devel,
coreteam, netdev, kernel-janitors
[-- Attachment #1: Type: text/plain, Size: 653 bytes --]
On Mon, Nov 10, 2014 at 03:27:51PM +0100, Jozsef Kadlecsik wrote:
> On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
> > >From other similar code in that location, I can see Jozsef is using
> > this pattern:
> >
> > if (*len != sizeof(struct ip_set_req_version)) {
> > ret = -EINVAL;
> > goto done;
> > }
> >
> > I think it would be good to stick to that for consistency. Thanks.
>
> Absolutely, yes.
>
> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
OK, then does this look fine to you? I took over Dan's patch and gave
it another spin. See it attached, thanks.
[-- Attachment #2: 0001-netfilter-ipset-small-potential-read-beyond-the-end-.patch --]
[-- Type: text/x-diff, Size: 1222 bytes --]
>From d67bad383d4ea9dea8872e3999324ccbeb2a5815 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 7 Nov 2014 09:21:40 +0300
Subject: [PATCH] netfilter: ipset: small potential read beyond the end of
buffer
We could be reading 8 bytes into a 4 byte buffer here. It seems
harmless but adding a check is the right thing to do and it silences a
static checker warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86f9d76..d259da3 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1863,6 +1863,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
if (*op < IP_SET_OP_VERSION) {
/* Check the version at the beginning of operations */
struct ip_set_req_version *req_version = data;
+
+ if (*len < sizeof(struct ip_set_req_version)) {
+ ret = -EINVAL;
+ goto done;
+ }
+
if (req_version->version != IPSET_PROTOCOL) {
ret = -EPROTO;
goto done;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
2014-11-10 16:11 ` Pablo Neira Ayuso
@ 2014-11-10 21:00 ` Jozsef Kadlecsik
2014-11-11 13:17 ` Pablo Neira Ayuso
2014-11-10 22:38 ` Dan Carpenter
1 sibling, 1 reply; 7+ messages in thread
From: Jozsef Kadlecsik @ 2014-11-10 21:00 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Dan Carpenter, Patrick McHardy, David S. Miller, Sergey Popovich,
Masanari Iida, Anton Danilov, stephen hemminger, netfilter-devel,
coreteam, netdev, kernel-janitors
On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
> On Mon, Nov 10, 2014 at 03:27:51PM +0100, Jozsef Kadlecsik wrote:
> > On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
> > > >From other similar code in that location, I can see Jozsef is using
> > > this pattern:
> > >
> > > if (*len != sizeof(struct ip_set_req_version)) {
> > > ret = -EINVAL;
> > > goto done;
> > > }
> > >
> > > I think it would be good to stick to that for consistency. Thanks.
> >
> > Absolutely, yes.
> >
> > Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
>
> OK, then does this look fine to you? I took over Dan's patch and gave
> it another spin. See it attached, thanks.
Yes, it's better this way, thanks!
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
2014-11-10 16:11 ` Pablo Neira Ayuso
2014-11-10 21:00 ` Jozsef Kadlecsik
@ 2014-11-10 22:38 ` Dan Carpenter
1 sibling, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2014-11-10 22:38 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Jozsef Kadlecsik, Patrick McHardy, David S. Miller,
Sergey Popovich, Masanari Iida, Anton Danilov, stephen hemminger,
netfilter-devel, coreteam, netdev, kernel-janitors
On Mon, Nov 10, 2014 at 05:11:21PM +0100, Pablo Neira Ayuso wrote:
> OK, then does this look fine to you? I took over Dan's patch and gave
> it another spin. See it attached, thanks.
Looks good to me, thanks.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer
2014-11-10 21:00 ` Jozsef Kadlecsik
@ 2014-11-11 13:17 ` Pablo Neira Ayuso
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2014-11-11 13:17 UTC (permalink / raw)
To: Jozsef Kadlecsik
Cc: Dan Carpenter, Patrick McHardy, David S. Miller, Sergey Popovich,
Masanari Iida, Anton Danilov, stephen hemminger, netfilter-devel,
coreteam, netdev, kernel-janitors
On Mon, Nov 10, 2014 at 10:00:20PM +0100, Jozsef Kadlecsik wrote:
> On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
>
> > On Mon, Nov 10, 2014 at 03:27:51PM +0100, Jozsef Kadlecsik wrote:
> > > On Mon, 10 Nov 2014, Pablo Neira Ayuso wrote:
> > > > >From other similar code in that location, I can see Jozsef is using
> > > > this pattern:
> > > >
> > > > if (*len != sizeof(struct ip_set_req_version)) {
> > > > ret = -EINVAL;
> > > > goto done;
> > > > }
> > > >
> > > > I think it would be good to stick to that for consistency. Thanks.
> > >
> > > Absolutely, yes.
> > >
> > > Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> >
> > OK, then does this look fine to you? I took over Dan's patch and gave
> > it another spin. See it attached, thanks.
>
> Yes, it's better this way, thanks!
Applied, thanks Dan and Jozsef.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-11-11 13:15 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-07 6:21 [patch -mainline] netfilter: ipset: small potential read beyond the end of buffer Dan Carpenter
2014-11-10 14:24 ` Pablo Neira Ayuso
2014-11-10 14:27 ` Jozsef Kadlecsik
2014-11-10 16:11 ` Pablo Neira Ayuso
2014-11-10 21:00 ` Jozsef Kadlecsik
2014-11-11 13:17 ` Pablo Neira Ayuso
2014-11-10 22:38 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).