Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

bridge: netfilter: fix information leak

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Vasiliy Kulikov 14 years ago
parent
44bd4de9c2
commit
d846f71195
1 changed files with 2 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      net/bridge/netfilter/ebtables.c

+ 2 - 0
net/bridge/netfilter/ebtables.c
View File 

@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
 
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 
 		return -ENOMEM;
 
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
 
+
 
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 
 	if (!newinfo)