Argument parsing buffer overflow in ipset_parse_argv fixed

Argument length checking was simply missing. Fixes netfilter
bugzilla #1492, reported by Marshall Whittaker.

Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>

diff --git a/lib/ipset.c b/lib/ipset.c
index 86334914cd74d6ccd61651d4f9570425d1ea01d6..8ae2b6f3b2cc26a61036a9d3ea7ebfc8c55c2df3 100644 (file)
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -949,6 +949,11 @@ ipset_parse_argv(struct ipset *ipset, int oargc, char *oargv[])
        int argc = oargc;
        char *argv[MAX_ARGS] = {};
 
+       if (argc > MAX_ARGS)
+               return ipset->custom_error(ipset,
+                               p, IPSET_PARAMETER_PROBLEM,
+                               "Line is too long to parse.");
+
        /* We need a local copy because of ipset_shift_argv */
        memcpy(argv, oargv, sizeof(char *) * argc);