aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-02-14 10:49:23 -0500
committerPatrick McHardy <kaber@trash.net>2011-02-14 10:49:23 -0500
commitd846f71195d57b0bbb143382647c2c6638b04c5a (patch)
tree67515bc845a399c77df22dd859cabdb17dcd70ff
parent44bd4de9c2270b22c3c898310102bc6be9ed2978 (diff)
bridge: netfilter: fix information leak
Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--net/bridge/netfilter/ebtables.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5f1825df9dca..893669caa8de 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
1107 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) 1107 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
1108 return -ENOMEM; 1108 return -ENOMEM;
1109 1109
1110 tmp.name[sizeof(tmp.name) - 1] = 0;
1111
1110 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; 1112 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
1111 newinfo = vmalloc(sizeof(*newinfo) + countersize); 1113 newinfo = vmalloc(sizeof(*newinfo) + countersize);
1112 if (!newinfo) 1114 if (!newinfo)