From: Stefano Brivio <sbrivio@redhat.com>
Date: Fri, 31 Aug 2018 09:43:39 +0000 (+0200)
Subject: Validate string type attributes in attr2data()
X-Git-Tag: v7.0~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c16de1a51928ee023199195652ed90ce0fd5950;p=thirdparty%2Fipset.git

Validate string type attributes in attr2data()

Otherwise, we are missing checks in some paths, e.g. we might
overrun the buffer used to save the set name in callback_list()
when we strcpy() to it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---

diff --git a/lib/session.c b/lib/session.c
index ca96aaa5..16b5549e 100644
--- a/lib/session.c
+++ b/lib/session.c
@@ -678,6 +678,10 @@ attr2data(struct ipset_session *session, struct nlattr *nla[],
 		default:
 			break;
 		}
+	} else if (attr->type == MNL_TYPE_NUL_STRING) {
+		if (!d || strlen(d) >= attr->len)
+			FAILURE("Broken kernel message: "
+				"string type attribute missing or too long!");
 	}
 #ifdef IPSET_DEBUG
 	 else