netfilter: ipset: Fix warn: integer overflows 'sizeof(*map) + size * set->dsize'

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Dan Carpenter reported that the static checker emits the warning

net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
warn: integer overflows 'sizeof(*map) + size * set->dsize'

Limit the maximal number of elements in list type of sets.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

Jozsef Kadlecsik 11 years ago 1b05756c 94729f8a

+4 -1

2 changed files

expand all

include

linux

netfilter

ipset

ip_set_list.h

net

netfilter

ipset

ip_set_list_set.c

include/linux/netfilter/ipset/ip_set_list.h

··· 6 6 7 7 #define IP_SET_LIST_DEFAULT_SIZE 8 8 8 #define IP_SET_LIST_MIN_SIZE 4 9 + #define IP_SET_LIST_MAX_SIZE 65536 9 10 10 11 #endif /* __IP_SET_LIST_H */

+3 -1

net/netfilter/ipset/ip_set_list_set.c

··· 597 597 struct set_elem *e; 598 598 u32 i; 599 599 600 - map = kzalloc(sizeof(*map) + size * set->dsize, GFP_KERNEL); 600 + map = kzalloc(sizeof(*map) + 601 + min_t(u32, size, IP_SET_LIST_MAX_SIZE) * set->dsize, 602 + GFP_KERNEL); 601 603 if (!map) 602 604 return false; 603 605