projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 94729f8)
netfilter: ipset: Fix warn: integer overflows 'sizeof(*map) + size * set->dsize'
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Tue, 5 Aug 2014 20:02:34 +0000 (22:02 +0200)
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Sun, 24 Aug 2014 17:33:10 +0000 (19:33 +0200)
Dan Carpenter reported that the static checker emits the warning

        net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
        warn: integer overflows 'sizeof(*map) + size * set->dsize'

Limit the maximal number of elements in list type of sets.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
include/linux/netfilter/ipset/ip_set_list.h patch | blob | history
net/netfilter/ipset/ip_set_list_set.c patch | blob | history

diff --git a/include/linux/netfilter/ipset/ip_set_list.h b/include/linux/netfilter/ipset/ip_set_list.h
index 68c2aea..fe2622a 100644 (file)
--- a/include/linux/netfilter/ipset/ip_set_list.h
+++ b/include/linux/netfilter/ipset/ip_set_list.h
@@ -6,5 +6,6 @@
 
 #define IP_SET_LIST_DEFAULT_SIZE       8
 #define IP_SET_LIST_MIN_SIZE           4
+#define IP_SET_LIST_MAX_SIZE           65536
 
 #endif /* __IP_SET_LIST_H */
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 3e2317f..f87adba 100644 (file)
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -597,7 +597,9 @@ init_list_set(struct net *net, struct ip_set *set, u32 size)
        struct set_elem *e;
        u32 i;
 
-       map = kzalloc(sizeof(*map) + size * set->dsize, GFP_KERNEL);
+       map = kzalloc(sizeof(*map) +
+                     min_t(u32, size, IP_SET_LIST_MAX_SIZE) * set->dsize,
+                     GFP_KERNEL);
        if (!map)
                return false;
 
Domain: System / Kernel;