From: Jozsef Kadlecsik <kadlec@netfilter.org>
Date: Tue, 19 Jan 2021 07:39:50 +0000 (+0100)
Subject: Argument parsing buffer overflow in ipset_parse_argv fixed
X-Git-Tag: v7.11~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a11d65f39b39e573418b4296b22c3dccfd5a4b5c;p=thirdparty%2Fipset.git

Argument parsing buffer overflow in ipset_parse_argv fixed

Argument length checking was simply missing. Fixes netfilter
bugzilla #1492, reported by Marshall Whittaker.

Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---

diff --git a/lib/ipset.c b/lib/ipset.c
index 86334914..8ae2b6f3 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -949,6 +949,11 @@ ipset_parse_argv(struct ipset *ipset, int oargc, char *oargv[])
 	int argc = oargc;
 	char *argv[MAX_ARGS] = {};
 
+	if (argc > MAX_ARGS)
+		return ipset->custom_error(ipset,
+				p, IPSET_PARAMETER_PROBLEM,
+				"Line is too long to parse.");
+
 	/* We need a local copy because of ipset_shift_argv */
 	memcpy(argv, oargv, sizeof(char *) * argc);