Hello Jozsef Kadlecsik,
The patch f830837f0eed: "netfilter: ipset: list:set set type support"
from Feb 1, 2011, leads to the following static checker warning:
net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
warn: integer overflows 'sizeof(*map) + size * set->dsize'
net/netfilter/ipset/ip_set_list_set.c
594 init_list_set(struct net *net, struct ip_set *set, u32 size)
595 {
596 struct list_set *map;
597 struct set_elem *e;
598 u32 i;
599
600 map = kzalloc(sizeof(*map) + size * set->dsize, GFP_KERNEL);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This can overflow. size is a number between 4-u32max.
601 if (!map)
602 return false;
603
604 map->size = size;
605 map->net = net;
606 set->data = map;
607
608 for (i = 0; i < size; i++) {
609 e = list_set_elem(set, map, i);
610 e->id = IPSET_INVALID_ID;
611 }
612
613 return true;
614 }
615
616 static int
617 list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
618 u32 flags)
619 {
620 u32 size = IP_SET_LIST_DEFAULT_SIZE;
621
622 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_SIZE) ||
623 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
624 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
625 return -IPSET_ERR_PROTOCOL;
626
627 if (tb[IPSET_ATTR_SIZE])
628 size = ip_set_get_h32(tb[IPSET_ATTR_SIZE]);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
size is set here.
629 if (size < IP_SET_LIST_MIN_SIZE)
630 size = IP_SET_LIST_MIN_SIZE;
There should be a IP_SET_LIST_MAX_SIZE probably, but I don't know what
a reasonable upper bound should be.
631
632 set->variant = &set_variant;
633 set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem));
634 if (!init_list_set(net, set, size))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Function call.
635 return -ENOMEM;
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
