From patchwork Fri Aug 31 09:43:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Brivio X-Patchwork-Id: 964357 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 421vZD1x6yz9ryn for ; Fri, 31 Aug 2018 19:43:48 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727370AbeHaNuZ (ORCPT ); Fri, 31 Aug 2018 09:50:25 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:42870 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727258AbeHaNuZ (ORCPT ); Fri, 31 Aug 2018 09:50:25 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BD08E7DAC2; Fri, 31 Aug 2018 09:43:46 +0000 (UTC) Received: from epycfail.redhat.com (ovpn-200-27.brq.redhat.com [10.40.200.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id CFA9710D16A9; Fri, 31 Aug 2018 09:43:45 +0000 (UTC) From: Stefano Brivio To: Jozsef Kadlecsik Cc: netfilter-devel@vger.kernel.org Subject: [PATCH ipset v3] Validate string type attributes in attr2data() Date: Fri, 31 Aug 2018 11:43:39 +0200 Message-Id: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 31 Aug 2018 09:43:46 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 31 Aug 2018 09:43:46 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Otherwise, we are missing checks in some paths, e.g. we might overrun the buffer used to save the set name in callback_list() when we strcpy() to it. Signed-off-by: Stefano Brivio --- v3: Also as pointed out by Jozsef, there's no need to validate the set name in ipset_cmd(), this is done already while parsing the command line, so drop that part and change the patch title accordingly. v2: As requested by Jozsef, move validation of setname length to attr2data() for data received via netlink, instead of doing it in callback_list(). lib/session.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/session.c b/lib/session.c index ca96aaa57ea6..16b5549e73db 100644 --- a/lib/session.c +++ b/lib/session.c @@ -678,6 +678,10 @@ attr2data(struct ipset_session *session, struct nlattr *nla[], default: break; } + } else if (attr->type == MNL_TYPE_NUL_STRING) { + if (!d || strlen(d) >= attr->len) + FAILURE("Broken kernel message: " + "string type attribute missing or too long!"); } #ifdef IPSET_DEBUG else