diff options
author | Vasiliy Kulikov <segoon@openwall.com> | 2011-02-14 16:49:23 +0100 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2011-02-14 16:49:23 +0100 |
commit | d846f71195d57b0bbb143382647c2c6638b04c5a (patch) | |
tree | 67515bc845a399c77df22dd859cabdb17dcd70ff | |
parent | netfilter: xt_connlimit: connlimit-above early loop termination (diff) | |
download | linux-d846f71195d57b0bbb143382647c2c6638b04c5a.tar.xz linux-d846f71195d57b0bbb143382647c2c6638b04c5a.zip |
bridge: netfilter: fix information leak
Struct tmp is copied from userspace. It is not checked whether the "name"
field is NULL terminated. This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen by all userspace
processes.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5f1825df9dca..893669caa8de 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user, if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) return -ENOMEM; + tmp.name[sizeof(tmp.name) - 1] = 0; + countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; newinfo = vmalloc(sizeof(*newinfo) + countersize); if (!newinfo) |