Hi,
On Sat, 29 Dec 2018, Florent Fourcot wrote:
> One of the memset call is buggy: it does not erase full array, but only
> pointer size.
> Moreover, after a check, first step of nla_parse_nested/nla_parse is to
> erase tb array as well. We can remove both calls safely.
Yes, good catch. Patch is applied in the ipset git tree.
Best regards,
Jozsef
> Signed-off-by: Florent Fourcot <florent.fourcot@xxxxxxxxxx>
> ---
> net/netfilter/ipset/ip_set_core.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> index 45a257695bef..c1513e590a27 100644
> --- a/net/netfilter/ipset/ip_set_core.c
> +++ b/net/netfilter/ipset/ip_set_core.c
> @@ -1602,7 +1602,6 @@ static int ip_set_uadd(struct net *net, struct sock *ctnl, struct sk_buff *skb,
> int nla_rem;
>
> nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
> - memset(tb, 0, sizeof(tb));
> if (nla_type(nla) != IPSET_ATTR_DATA ||
> !flag_nested(nla) ||
> nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
> @@ -1657,7 +1656,6 @@ static int ip_set_udel(struct net *net, struct sock *ctnl, struct sk_buff *skb,
> int nla_rem;
>
> nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
> - memset(tb, 0, sizeof(*tb));
> if (nla_type(nla) != IPSET_ATTR_DATA ||
> !flag_nested(nla) ||
> nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
> --
> 2.11.0
>
>
--
E-mail : kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
