From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 25 Jan 2015 17:49:49 +0000 (-0800)
Subject: 3.10-stable patches
X-Git-Tag: v3.10.66~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6af04e0ee509c9d25e7966aed9a5fce36ff997dc;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch
---

diff --git a/queue-3.10/netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch b/queue-3.10/netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch
new file mode 100644
index 00000000000..0d6477395b7
--- /dev/null
+++ b/queue-3.10/netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch
@@ -0,0 +1,37 @@
+From 2196937e12b1b4ba139806d132647e1651d655df Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 10 Nov 2014 17:11:21 +0100
+Subject: netfilter: ipset: small potential read beyond the end of buffer
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 2196937e12b1b4ba139806d132647e1651d655df upstream.
+
+We could be reading 8 bytes into a 4 byte buffer here.  It seems
+harmless but adding a check is the right thing to do and it silences a
+static checker warning.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_core.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1754,6 +1754,12 @@ ip_set_sockfn_get(struct sock *sk, int o
+ 	if (*op < IP_SET_OP_VERSION) {
+ 		/* Check the version at the beginning of operations */
+ 		struct ip_set_req_version *req_version = data;
++
++		if (*len < sizeof(struct ip_set_req_version)) {
++			ret = -EINVAL;
++			goto done;
++		}
++
+ 		if (req_version->version != IPSET_PROTOCOL) {
+ 			ret = -EPROTO;
+ 			goto done;
diff --git a/queue-3.10/series b/queue-3.10/series
index c8aa63f25d2..c78521afd9a 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -44,3 +44,4 @@ um-skip-futex_atomic_cmpxchg_inatomic-test.patch
 x86-um-actually-mark-system-call-tables-readonly.patch
 lockd-fix-a-race-when-initialising-nlmsvc_timeout.patch
 mmc-sdhci-fix-sleep-in-atomic-after-inserting-sd-card.patch
+netfilter-ipset-small-potential-read-beyond-the-end-of-buffer.patch