diff options
| author | Mathias Krause <minipli@googlemail.com> | 2013-09-30 16:05:08 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-02 11:28:36 -0400 |
| commit | 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 (patch) | |
| tree | d8984c0f78c62752b8c4112edceb1476f1da9fff /net | |
| parent | ca0a10672dad94aa1f89645f89eb6047b7bf2a19 (diff) | |
netfilter: ipt_ULOG: fix info leaks
The ulog messages leak heap bytes by the means of padding bytes and
incompletely filled string arrays. Fix those by memset(0)'ing the
whole struct before filling it.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ipt_ULOG.c | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index cbc22158af49..9cb993cd224b 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c | |||
| @@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net, | |||
| 220 | ub->qlen++; | 220 | ub->qlen++; |
| 221 | 221 | ||
| 222 | pm = nlmsg_data(nlh); | 222 | pm = nlmsg_data(nlh); |
| 223 | memset(pm, 0, sizeof(*pm)); | ||
| 223 | 224 | ||
| 224 | /* We might not have a timestamp, get one */ | 225 | /* We might not have a timestamp, get one */ |
| 225 | if (skb->tstamp.tv64 == 0) | 226 | if (skb->tstamp.tv64 == 0) |
| @@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net, | |||
| 238 | } | 239 | } |
| 239 | else if (loginfo->prefix[0] != '\0') | 240 | else if (loginfo->prefix[0] != '\0') |
| 240 | strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); | 241 | strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); |
| 241 | else | ||
| 242 | *(pm->prefix) = '\0'; | ||
| 243 | 242 | ||
| 244 | if (in && in->hard_header_len > 0 && | 243 | if (in && in->hard_header_len > 0 && |
| 245 | skb->mac_header != skb->network_header && | 244 | skb->mac_header != skb->network_header && |
| @@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net, | |||
| 251 | 250 | ||
| 252 | if (in) | 251 | if (in) |
| 253 | strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); | 252 | strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); |
| 254 | else | ||
| 255 | pm->indev_name[0] = '\0'; | ||
| 256 | 253 | ||
| 257 | if (out) | 254 | if (out) |
| 258 | strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); | 255 | strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); |
| 259 | else | ||
| 260 | pm->outdev_name[0] = '\0'; | ||
| 261 | 256 | ||
| 262 | /* copy_len <= skb->len, so can't fail. */ | 257 | /* copy_len <= skb->len, so can't fail. */ |
| 263 | if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) | 258 | if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) |