diff options
author | James Morris <jmorris@namei.org> | 2006-07-30 23:46:38 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-08-02 16:38:23 -0400 |
commit | a280b89982f48e9a32c6410a37419b12ca88af6b (patch) | |
tree | bf9cf034ed75a492bf84a73b7be75d94f2782e50 | |
parent | e795d092507d571d66f2ec98d3efdc7dd284bf80 (diff) |
[SECURITY] secmark: nul-terminate secdata
The patch below fixes a problem in the iptables SECMARK target, where
the user-supplied 'selctx' string may not be nul-terminated.
From initial analysis, it seems that the strlen() called from
selinux_string_to_sid() could run until it arbitrarily finds a zero,
and possibly cause a kernel oops before then.
The impact of this appears limited because the operation requires
CAP_NET_ADMIN, which is essentially always root. Also, the module is
not yet in wide use.
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/netfilter/xt_SECMARK.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index c2ce9c4011cc..de9537ad9a7c 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c | |||
@@ -57,6 +57,8 @@ static int checkentry_selinux(struct xt_secmark_target_info *info) | |||
57 | { | 57 | { |
58 | int err; | 58 | int err; |
59 | struct xt_secmark_target_selinux_info *sel = &info->u.sel; | 59 | struct xt_secmark_target_selinux_info *sel = &info->u.sel; |
60 | |||
61 | sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; | ||
60 | 62 | ||
61 | err = selinux_string_to_sid(sel->selctx, &sel->selsid); | 63 | err = selinux_string_to_sid(sel->selctx, &sel->selsid); |
62 | if (err) { | 64 | if (err) { |