diff options
| author | Florian Westphal <fw@strlen.de> | 2012-11-20 20:37:38 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-11-21 17:50:14 -0500 |
| commit | e93b5f9f320db431ec8623a4c667811007e07fd7 (patch) | |
| tree | 803a3d7270e04f520474ecec895f8e7f5f05644c | |
| parent | 4fe198e6b136c516df493ec325ab8f70d470f477 (diff) | |
netfilter: cttimeout: fix buffer overflow
Chen Gang reports:
the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side.
And indeed, its used to strcpy to a fixed-sized buffer.
Fortunately, nfnetlink users need CAP_NET_ADMIN.
Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | net/netfilter/nfnetlink_cttimeout.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index 8847b4d8be06..701c88a20fea 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c | |||
| @@ -41,7 +41,8 @@ MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tu | |||
| 41 | static LIST_HEAD(cttimeout_list); | 41 | static LIST_HEAD(cttimeout_list); |
| 42 | 42 | ||
| 43 | static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = { | 43 | static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = { |
| 44 | [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING }, | 44 | [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING, |
| 45 | .len = CTNL_TIMEOUT_NAME_MAX - 1}, | ||
| 45 | [CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 }, | 46 | [CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 }, |
| 46 | [CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 }, | 47 | [CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 }, |
| 47 | [CTA_TIMEOUT_DATA] = { .type = NLA_NESTED }, | 48 | [CTA_TIMEOUT_DATA] = { .type = NLA_NESTED }, |