Hello Pablo Neira Ayuso,
Commit 080ed636a559 ("netfilter: nf_tables: no size estimation if
number of set elements is unknown") from May 22, 2017 (linux-next),
leads to the following Smatch static checker warning:
net/netfilter/nft_set_rbtree.c:727 nft_rbtree_estimate()
warn: potential user controlled sizeof overflow '88 + desc->size * 24'
net/netfilter/nft_set_rbtree.c
720 static bool nft_rbtree_estimate(const struct nft_set_desc *desc, u32 features,
721 struct nft_set_estimate *est)
722 {
723 if (desc->field_count > 1)
724 return false;
725
726 if (desc->size)
--> 727 est->size = sizeof(struct nft_rbtree) +
728 desc->size * sizeof(struct nft_rbtree_elem);
^^^^^^^^^^
This can only overflow on 32bit systems. I can't see where est->size is
actually used though.
729 else
730 est->size = ~0;
731
732 est->lookup = NFT_SET_CLASS_O_LOG_N;
733 est->space = NFT_SET_CLASS_O_N;
734
735 return true;
736 }
regards,
dan carpenter
