netfilter: ipset: Fix static checker warning in ip_set_core.c

Dan Carpenter reported the following static checker warning:

        net/netfilter/ipset/ip_set_core.c:1414 call_ad()
        error: 'nlh->nlmsg_len' from user is not capped properly

The payload size is limited now by the max size of size_t.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 5593e97..4ca4e5c 100644 (file)
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1397,7 +1397,8 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
                struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
                struct sk_buff *skb2;
                struct nlmsgerr *errmsg;
-               size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
+               size_t payload = min(SIZE_MAX,
+                                    sizeof(*errmsg) + nlmsg_len(nlh));
                int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
                struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
                struct nlattr *cmdattr;