diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-08-01 05:36:57 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-08-05 11:36:04 -0400 |
| commit | e4d091d7bf787cd303383725b8071d0bae76f981 (patch) | |
| tree | 6c9f1bf8e0c0893ebe1ab4eac1151ba6df635142 /net | |
| parent | a206bcb3b02025b23137f3228109d72e0f835c05 (diff) | |
netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message
These structs have a "_pad" member. Also the "phw" structs have an 8
byte "hw_addr[]" array but sometimes only the first 6 bytes are
initialized.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nfnetlink_log.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_queue_core.c | 5 |
2 files changed, 9 insertions, 2 deletions
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 962e9792e317..d92cc317bf8b 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
| @@ -419,6 +419,7 @@ __build_packet_message(struct nfnl_log_net *log, | |||
| 419 | nfmsg->version = NFNETLINK_V0; | 419 | nfmsg->version = NFNETLINK_V0; |
| 420 | nfmsg->res_id = htons(inst->group_num); | 420 | nfmsg->res_id = htons(inst->group_num); |
| 421 | 421 | ||
| 422 | memset(&pmsg, 0, sizeof(pmsg)); | ||
| 422 | pmsg.hw_protocol = skb->protocol; | 423 | pmsg.hw_protocol = skb->protocol; |
| 423 | pmsg.hook = hooknum; | 424 | pmsg.hook = hooknum; |
| 424 | 425 | ||
| @@ -498,7 +499,10 @@ __build_packet_message(struct nfnl_log_net *log, | |||
| 498 | if (indev && skb->dev && | 499 | if (indev && skb->dev && |
| 499 | skb->mac_header != skb->network_header) { | 500 | skb->mac_header != skb->network_header) { |
| 500 | struct nfulnl_msg_packet_hw phw; | 501 | struct nfulnl_msg_packet_hw phw; |
| 501 | int len = dev_parse_header(skb, phw.hw_addr); | 502 | int len; |
| 503 | |||
| 504 | memset(&phw, 0, sizeof(phw)); | ||
| 505 | len = dev_parse_header(skb, phw.hw_addr); | ||
| 502 | if (len > 0) { | 506 | if (len > 0) { |
| 503 | phw.hw_addrlen = htons(len); | 507 | phw.hw_addrlen = htons(len); |
| 504 | if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw)) | 508 | if (nla_put(inst->skb, NFULA_HWADDR, sizeof(phw), &phw)) |
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c index 971ea145ab3e..8a703c3dd318 100644 --- a/net/netfilter/nfnetlink_queue_core.c +++ b/net/netfilter/nfnetlink_queue_core.c | |||
| @@ -463,7 +463,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, | |||
| 463 | if (indev && entskb->dev && | 463 | if (indev && entskb->dev && |
| 464 | entskb->mac_header != entskb->network_header) { | 464 | entskb->mac_header != entskb->network_header) { |
| 465 | struct nfqnl_msg_packet_hw phw; | 465 | struct nfqnl_msg_packet_hw phw; |
| 466 | int len = dev_parse_header(entskb, phw.hw_addr); | 466 | int len; |
| 467 | |||
| 468 | memset(&phw, 0, sizeof(phw)); | ||
| 469 | len = dev_parse_header(entskb, phw.hw_addr); | ||
| 467 | if (len) { | 470 | if (len) { |
| 468 | phw.hw_addrlen = htons(len); | 471 | phw.hw_addrlen = htons(len); |
| 469 | if (nla_put(skb, NFQA_HWADDR, sizeof(phw), &phw)) | 472 | if (nla_put(skb, NFQA_HWADDR, sizeof(phw), &phw)) |