Hello Jozsef Kadlecsik, The patch f830837f0eed: "netfilter: ipset: list:set set type support" from Feb 1, 2011, leads to the following static checker warning: net/netfilter/ipset/ip_set_list_set.c:600 init_list_set() warn: integer overflows 'sizeof(*map) + size * set->dsize' net/netfilter/ipset/ip_set_list_set.c 594 init_list_set(struct net *net, struct ip_set *set, u32 size) 595 { 596 struct list_set *map; 597 struct set_elem *e; 598 u32 i; 599 600 map = kzalloc(sizeof(*map) + size * set->dsize, GFP_KERNEL); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This can overflow. size is a number between 4-u32max. 601 if (!map) 602 return false; 603 604 map->size = size; 605 map->net = net; 606 set->data = map; 607 608 for (i = 0; i < size; i++) { 609 e = list_set_elem(set, map, i); 610 e->id = IPSET_INVALID_ID; 611 } 612 613 return true; 614 } 615 616 static int 617 list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[], 618 u32 flags) 619 { 620 u32 size = IP_SET_LIST_DEFAULT_SIZE; 621 622 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_SIZE) || 623 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || 624 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) 625 return -IPSET_ERR_PROTOCOL; 626 627 if (tb[IPSET_ATTR_SIZE]) 628 size = ip_set_get_h32(tb[IPSET_ATTR_SIZE]); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ size is set here. 629 if (size < IP_SET_LIST_MIN_SIZE) 630 size = IP_SET_LIST_MIN_SIZE; There should be a IP_SET_LIST_MAX_SIZE probably, but I don't know what a reasonable upper bound should be. 631 632 set->variant = &set_variant; 633 set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem)); 634 if (!init_list_set(net, set, size)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Function call. 635 return -ENOMEM; regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html