netfilter: ipset: Fix static checker warning in ip_set_core.c

Dan Carpenter reported the following static checker warning: net/netfilter/ipset/ip_set_core.c:1414 call_ad() error: 'nlh->nlmsg_len' from user is not capped properly The payload size is limited now by the max size of size_t. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2014-09-15 20:48:26 +0200
committer: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2014-09-15 22:20:20 +0200
commit: 73e64e1813e9ea45885419d0fff1e628a6ab95d4 (patch)
tree: 3621a18895f093bafe3626beb20166cc032aa98d /net/netfilter
parent: 0bbe80e571c7b866afd92a98edd32a969467a7a9 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 5593e97426c4..4ca4e5ca6f57 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1397,7 +1397,8 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
 		struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
 		struct sk_buff *skb2;
 		struct nlmsgerr *errmsg;
-		size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
+		size_t payload = min(SIZE_MAX,
+				     sizeof(*errmsg) + nlmsg_len(nlh));
 		int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
 		struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
 		struct nlattr *cmdattr;
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2014-09-15 20:48:26 +0200
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2014-09-15 22:20:20 +0200
commit	73e64e1813e9ea45885419d0fff1e628a6ab95d4 (patch)
tree	3621a18895f093bafe3626beb20166cc032aa98d /net/netfilter
parent	0bbe80e571c7b866afd92a98edd32a969467a7a9 (diff)