netfilter: ipt_ULOG: fix info leaks

commit 278f2b3e upstream. The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

netfilter: ipt_ULOG: fix info leaks
commit 278f2b3e upstream. The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
0368fea2 · Mathias Krause · Ben Hutchings · 438127dd · 0368fea2
Commit 0368fea2 authored Sep 30, 2013 by Mathias Krause Committed by Ben Hutchings Aug 06, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 6 deletions

net/ipv4/netfilter/ipt_ULOG.c net/ipv4/netfilter/ipt_ULOG.c +1 -6

No files found.
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -202,6 +202,7 @@ static void ipt_ulog_packet(unsigned int hooknum,
 	ub->qlen++;
 	pm = NLMSG_DATA(nlh);
+	memset(pm, 0, sizeof(*pm));
 	/* We might not have a timestamp, get one */
 	if (skb->tstamp.tv64 == 0)
@@ -218,8 +219,6 @@ static void ipt_ulog_packet(unsigned int hooknum,
 		strncpy(pm->prefix, prefix, sizeof(pm->prefix));
 	else if (loginfo->prefix[0] != '\0')
 		strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
-	else
-		*(pm->prefix) = '\0';
 	if (in && in->hard_header_len > 0 &&
 	    skb->mac_header != skb->network_header &&
@@ -231,13 +230,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
 	if (in)
 		strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
-	else
-		pm->indev_name[0] = '\0';
 	if (out)
 		strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
-	else
-		pm->outdev_name[0] = '\0';
 	/* copy_len <= skb->len, so can't fail. */
 	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)