diff options
author | Patrick McHardy <kaber@trash.net> | 2009-06-22 08:15:30 -0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-06-22 08:15:30 -0400 |
commit | 249556192859490b6280552d4b877064f9f5ee48 (patch) | |
tree | 2817f5dc625d6c34b693181874945690be74adfc | |
parent | f9ffc31251c2caa11962c9b74ce650e2167fa8d1 (diff) |
netfilter: nf_log: fix direct userspace memory access in proc handler
Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r-- | net/netfilter/nf_log.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 2fefe147750a..4e620305f28c 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c | |||
@@ -47,7 +47,6 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) | |||
47 | mutex_lock(&nf_log_mutex); | 47 | mutex_lock(&nf_log_mutex); |
48 | 48 | ||
49 | if (pf == NFPROTO_UNSPEC) { | 49 | if (pf == NFPROTO_UNSPEC) { |
50 | int i; | ||
51 | for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) | 50 | for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) |
52 | list_add_tail(&(logger->list[i]), &(nf_loggers_l[i])); | 51 | list_add_tail(&(logger->list[i]), &(nf_loggers_l[i])); |
53 | } else { | 52 | } else { |
@@ -216,7 +215,7 @@ static const struct file_operations nflog_file_ops = { | |||
216 | #endif /* PROC_FS */ | 215 | #endif /* PROC_FS */ |
217 | 216 | ||
218 | #ifdef CONFIG_SYSCTL | 217 | #ifdef CONFIG_SYSCTL |
219 | struct ctl_path nf_log_sysctl_path[] = { | 218 | static struct ctl_path nf_log_sysctl_path[] = { |
220 | { .procname = "net", .ctl_name = CTL_NET, }, | 219 | { .procname = "net", .ctl_name = CTL_NET, }, |
221 | { .procname = "netfilter", .ctl_name = NET_NETFILTER, }, | 220 | { .procname = "netfilter", .ctl_name = NET_NETFILTER, }, |
222 | { .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, }, | 221 | { .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, }, |
@@ -228,19 +227,26 @@ static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1]; | |||
228 | static struct ctl_table_header *nf_log_dir_header; | 227 | static struct ctl_table_header *nf_log_dir_header; |
229 | 228 | ||
230 | static int nf_log_proc_dostring(ctl_table *table, int write, struct file *filp, | 229 | static int nf_log_proc_dostring(ctl_table *table, int write, struct file *filp, |
231 | void *buffer, size_t *lenp, loff_t *ppos) | 230 | void __user *buffer, size_t *lenp, loff_t *ppos) |
232 | { | 231 | { |
233 | const struct nf_logger *logger; | 232 | const struct nf_logger *logger; |
233 | char buf[NFLOGGER_NAME_LEN]; | ||
234 | size_t size = *lenp; | ||
234 | int r = 0; | 235 | int r = 0; |
235 | int tindex = (unsigned long)table->extra1; | 236 | int tindex = (unsigned long)table->extra1; |
236 | 237 | ||
237 | if (write) { | 238 | if (write) { |
238 | if (!strcmp(buffer, "NONE")) { | 239 | if (size > sizeof(buf)) |
240 | size = sizeof(buf); | ||
241 | if (copy_from_user(buf, buffer, size)) | ||
242 | return -EFAULT; | ||
243 | |||
244 | if (!strcmp(buf, "NONE")) { | ||
239 | nf_log_unbind_pf(tindex); | 245 | nf_log_unbind_pf(tindex); |
240 | return 0; | 246 | return 0; |
241 | } | 247 | } |
242 | mutex_lock(&nf_log_mutex); | 248 | mutex_lock(&nf_log_mutex); |
243 | logger = __find_logger(tindex, buffer); | 249 | logger = __find_logger(tindex, buf); |
244 | if (logger == NULL) { | 250 | if (logger == NULL) { |
245 | mutex_unlock(&nf_log_mutex); | 251 | mutex_unlock(&nf_log_mutex); |
246 | return -ENOENT; | 252 | return -ENOENT; |