aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-05-04 02:20:27 -0400
committerDavid S. Miller <davem@davemloft.net>2006-05-04 02:20:27 -0400
commit7800007c1e2d42cd4120b87b0ba3f3480f17f30a (patch)
tree831514416c91adcf7bdf87b6c6fd8d7660e1883e
parent7582e9d17edbabab6cbe59467c5d1b5e8c04fca8 (diff)
[NETFILTER]: x_tables: don't use __copy_{from,to}_user on unchecked memory in compat layer
Noticed by Linus Torvalds <torvalds@osdl.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/ip_tables.c6
-rw-r--r--net/netfilter/x_tables.c4
2 files changed, 5 insertions, 5 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 6d1c11563943..cee3397ec277 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1441,7 +1441,7 @@ static int compat_copy_entry_to_user(struct ipt_entry *e,
1441 ret = -EFAULT; 1441 ret = -EFAULT;
1442 origsize = *size; 1442 origsize = *size;
1443 ce = (struct compat_ipt_entry __user *)*dstptr; 1443 ce = (struct compat_ipt_entry __user *)*dstptr;
1444 if (__copy_to_user(ce, e, sizeof(struct ipt_entry))) 1444 if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
1445 goto out; 1445 goto out;
1446 1446
1447 *dstptr += sizeof(struct compat_ipt_entry); 1447 *dstptr += sizeof(struct compat_ipt_entry);
@@ -1459,9 +1459,9 @@ static int compat_copy_entry_to_user(struct ipt_entry *e,
1459 goto out; 1459 goto out;
1460 ret = -EFAULT; 1460 ret = -EFAULT;
1461 next_offset = e->next_offset - (origsize - *size); 1461 next_offset = e->next_offset - (origsize - *size);
1462 if (__put_user(target_offset, &ce->target_offset)) 1462 if (put_user(target_offset, &ce->target_offset))
1463 goto out; 1463 goto out;
1464 if (__put_user(next_offset, &ce->next_offset)) 1464 if (put_user(next_offset, &ce->next_offset))
1465 goto out; 1465 goto out;
1466 return 0; 1466 return 0;
1467out: 1467out:
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 17abf60f9570..99293c63ff73 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -289,7 +289,7 @@ int xt_compat_match(void *match, void **dstptr, int *size, int convert)
289 case COMPAT_TO_USER: 289 case COMPAT_TO_USER:
290 pm = (struct xt_entry_match *)match; 290 pm = (struct xt_entry_match *)match;
291 msize = pm->u.user.match_size; 291 msize = pm->u.user.match_size;
292 if (__copy_to_user(*dstptr, pm, msize)) { 292 if (copy_to_user(*dstptr, pm, msize)) {
293 ret = -EFAULT; 293 ret = -EFAULT;
294 break; 294 break;
295 } 295 }
@@ -366,7 +366,7 @@ int xt_compat_target(void *target, void **dstptr, int *size, int convert)
366 case COMPAT_TO_USER: 366 case COMPAT_TO_USER:
367 pt = (struct xt_entry_target *)target; 367 pt = (struct xt_entry_target *)target;
368 tsize = pt->u.user.target_size; 368 tsize = pt->u.user.target_size;
369 if (__copy_to_user(*dstptr, pt, tsize)) { 369 if (copy_to_user(*dstptr, pt, tsize)) {
370 ret = -EFAULT; 370 ret = -EFAULT;
371 break; 371 break;
372 } 372 }