netfilter: ipset: small potential read beyond the end of buffer

commit 2196937e12b1b4ba139806d132647e1651d655df upstream. We could be reading 8 bytes into a 4 byte buffer here. It seems harmless but adding a check is the right thing to do and it silences a static checker warning. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Dan Carpenter <dan.carpenter@oracle.com> 2014-11-10 17:11:21 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2015-02-20 00:49:41 +0000
commit: d64fba0de2f9cc5519398e220c5537a5a881458f (patch)
tree: b29bd22b16e0a7e80b2ba0eea0ef5e39163a6304
parent: dc4a2f40de419c01b538c87f6bdfc15d574d9f7e (diff)
download: lwn-d64fba0de2f9cc5519398e220c5537a5a881458f.tar.gz
lwn-d64fba0de2f9cc5519398e220c5537a5a881458f.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 86137b558f45..b88dcec0c642 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1615,6 +1615,12 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
 	if (*op < IP_SET_OP_VERSION) {
 		/* Check the version at the beginning of operations */
 		struct ip_set_req_version *req_version = data;
+
+		if (*len < sizeof(struct ip_set_req_version)) {
+			ret = -EINVAL;
+			goto done;
+		}
+
 		if (req_version->version != IPSET_PROTOCOL) {
 			ret = -EPROTO;
 			goto done;
author	Dan Carpenter <dan.carpenter@oracle.com>	2014-11-10 17:11:21 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2015-02-20 00:49:41 +0000
commit	d64fba0de2f9cc5519398e220c5537a5a881458f (patch)
tree	b29bd22b16e0a7e80b2ba0eea0ef5e39163a6304
parent	dc4a2f40de419c01b538c87f6bdfc15d574d9f7e (diff)
download	lwn-d64fba0de2f9cc5519398e220c5537a5a881458f.tar.gz lwn-d64fba0de2f9cc5519398e220c5537a5a881458f.zip