Otherwise, we are missing checks in some paths, e.g. we might
overrun the buffer used to save the set name in callback_list()
when we strcpy() to it.
Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
---
v3: Also as pointed out by Jozsef, there's no need to validate
the set name in ipset_cmd(), this is done already while
parsing the command line, so drop that part and change the
patch title accordingly.
v2: As requested by Jozsef, move validation of setname length to
attr2data() for data received via netlink, instead of doing
it in callback_list().
lib/session.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/session.c b/lib/session.c
index ca96aaa57ea6..16b5549e73db 100644
--- a/lib/session.c
+++ b/lib/session.c
@@ -678,6 +678,10 @@ attr2data(struct ipset_session *session, struct nlattr *nla[],
default:
break;
}
+ } else if (attr->type == MNL_TYPE_NUL_STRING) {
+ if (!d || strlen(d) >= attr->len)
+ FAILURE("Broken kernel message: "
+ "string type attribute missing or too long!");
}
#ifdef IPSET_DEBUG
else
--
2.18.0
