aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2009-06-22 08:15:30 -0400
committerPatrick McHardy <kaber@trash.net>2009-06-22 08:15:30 -0400
commit249556192859490b6280552d4b877064f9f5ee48 (patch)
tree2817f5dc625d6c34b693181874945690be74adfc
parentf9ffc31251c2caa11962c9b74ce650e2167fa8d1 (diff)
netfilter: nf_log: fix direct userspace memory access in proc handler
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--net/netfilter/nf_log.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 2fefe147750a..4e620305f28c 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -47,7 +47,6 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger)
47 mutex_lock(&nf_log_mutex); 47 mutex_lock(&nf_log_mutex);
48 48
49 if (pf == NFPROTO_UNSPEC) { 49 if (pf == NFPROTO_UNSPEC) {
50 int i;
51 for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) 50 for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
52 list_add_tail(&(logger->list[i]), &(nf_loggers_l[i])); 51 list_add_tail(&(logger->list[i]), &(nf_loggers_l[i]));
53 } else { 52 } else {
@@ -216,7 +215,7 @@ static const struct file_operations nflog_file_ops = {
216#endif /* PROC_FS */ 215#endif /* PROC_FS */
217 216
218#ifdef CONFIG_SYSCTL 217#ifdef CONFIG_SYSCTL
219struct ctl_path nf_log_sysctl_path[] = { 218static struct ctl_path nf_log_sysctl_path[] = {
220 { .procname = "net", .ctl_name = CTL_NET, }, 219 { .procname = "net", .ctl_name = CTL_NET, },
221 { .procname = "netfilter", .ctl_name = NET_NETFILTER, }, 220 { .procname = "netfilter", .ctl_name = NET_NETFILTER, },
222 { .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, }, 221 { .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, },
@@ -228,19 +227,26 @@ static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
228static struct ctl_table_header *nf_log_dir_header; 227static struct ctl_table_header *nf_log_dir_header;
229 228
230static int nf_log_proc_dostring(ctl_table *table, int write, struct file *filp, 229static int nf_log_proc_dostring(ctl_table *table, int write, struct file *filp,
231 void *buffer, size_t *lenp, loff_t *ppos) 230 void __user *buffer, size_t *lenp, loff_t *ppos)
232{ 231{
233 const struct nf_logger *logger; 232 const struct nf_logger *logger;
233 char buf[NFLOGGER_NAME_LEN];
234 size_t size = *lenp;
234 int r = 0; 235 int r = 0;
235 int tindex = (unsigned long)table->extra1; 236 int tindex = (unsigned long)table->extra1;
236 237
237 if (write) { 238 if (write) {
238 if (!strcmp(buffer, "NONE")) { 239 if (size > sizeof(buf))
240 size = sizeof(buf);
241 if (copy_from_user(buf, buffer, size))
242 return -EFAULT;
243
244 if (!strcmp(buf, "NONE")) {
239 nf_log_unbind_pf(tindex); 245 nf_log_unbind_pf(tindex);
240 return 0; 246 return 0;
241 } 247 }
242 mutex_lock(&nf_log_mutex); 248 mutex_lock(&nf_log_mutex);
243 logger = __find_logger(tindex, buffer); 249 logger = __find_logger(tindex, buf);
244 if (logger == NULL) { 250 if (logger == NULL) {
245 mutex_unlock(&nf_log_mutex); 251 mutex_unlock(&nf_log_mutex);
246 return -ENOENT; 252 return -ENOENT;