netfilter: ipset: Check for comment netlink attribute length

Ensure userspace supplies string not longer than IPSET_MAX_COMMENT_SIZE. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: ipset: Check for comment netlink attribute length
Ensure userspace supplies string not longer than IPSET_MAX_COMMENT_SIZE. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Sergey Popovich · Pablo Neira Ayuso
1 parent 728a7e6903
Showing 15 changed files with 30 additions and 15 deletions Side-by-side Diff
net/netfilter/ipset/ip_set_bitmap_ip.c
net/netfilter/ipset/ip_set_bitmap_ipmac.c
net/netfilter/ipset/ip_set_bitmap_port.c
net/netfilter/ipset/ip_set_hash_ip.c
net/netfilter/ipset/ip_set_hash_ipmark.c
net/netfilter/ipset/ip_set_hash_ipport.c
net/netfilter/ipset/ip_set_hash_ipportip.c
net/netfilter/ipset/ip_set_hash_ipportnet.c
net/netfilter/ipset/ip_set_hash_mac.c
net/netfilter/ipset/ip_set_hash_net.c
net/netfilter/ipset/ip_set_hash_netiface.c
net/netfilter/ipset/ip_set_hash_netnet.c
net/netfilter/ipset/ip_set_hash_netport.c
net/netfilter/ipset/ip_set_hash_netportnet.c
net/netfilter/ipset/ip_set_list_set.c
@@ -364,7 +364,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -401,7 +401,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -294,7 +294,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -304,7 +304,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -310,7 +310,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -373,7 +373,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -385,7 +385,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -544,7 +544,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -153,7 +153,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -386,7 +386,8 @@
 		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -616,7 +616,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -479,7 +479,8 @@
 		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -492,7 +492,8 @@
 		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -580,7 +580,8 @@
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
@@ -678,7 +678,8 @@
 		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
 		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
 		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
-		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING },
+		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
+					    .len  = IPSET_MAX_COMMENT_SIZE },
 		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
 		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
 		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
...	...	@@ -364,7 +364,8 @@
364	364	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
365	365	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
366	366	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
367		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	367	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	368	+ .len = IPSET_MAX_COMMENT_SIZE },
368	369	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
369	370	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
370	371	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -401,7 +401,8 @@
401	401	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
402	402	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
403	403	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
404		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	404	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	405	+ .len = IPSET_MAX_COMMENT_SIZE },
405	406	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
406	407	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
407	408	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -294,7 +294,8 @@
294	294	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
295	295	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
296	296	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
297		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	297	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	298	+ .len = IPSET_MAX_COMMENT_SIZE },
298	299	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
299	300	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
300	301	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -304,7 +304,8 @@
304	304	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
305	305	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
306	306	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
307		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	307	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	308	+ .len = IPSET_MAX_COMMENT_SIZE },
308	309	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
309	310	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
310	311	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -310,7 +310,8 @@
310	310	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
311	311	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
312	312	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
313		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	313	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	314	+ .len = IPSET_MAX_COMMENT_SIZE },
314	315	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
315	316	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
316	317	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -373,7 +373,8 @@
373	373	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
374	374	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
375	375	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
376		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	376	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	377	+ .len = IPSET_MAX_COMMENT_SIZE },
377	378	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
378	379	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
379	380	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -385,7 +385,8 @@
385	385	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
386	386	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
387	387	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
388		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	388	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	389	+ .len = IPSET_MAX_COMMENT_SIZE },
389	390	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
390	391	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
391	392	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -544,7 +544,8 @@
544	544	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
545	545	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
546	546	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
547		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	547	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	548	+ .len = IPSET_MAX_COMMENT_SIZE },
548	549	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
549	550	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
550	551	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -153,7 +153,8 @@
153	153	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
154	154	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
155	155	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
156		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	156	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	157	+ .len = IPSET_MAX_COMMENT_SIZE },
157	158	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
158	159	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
159	160	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
...	...	@@ -386,7 +386,8 @@
386	386	[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
387	387	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
388	388	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
389		- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
	389	+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
	390	+ .len = IPSET_MAX_COMMENT_SIZE },
390	391	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
391	392	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
392	393	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },