Commit d846f711 authored by Vasiliy Kulikov's avatar Vasiliy Kulikov Committed by Patrick McHardy

bridge: netfilter: fix information leak

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.
Signed-off-by: default avatarVasiliy Kulikov <segoon@openwall.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 44bd4de9
...@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user, ...@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM; return -ENOMEM;
tmp.name[sizeof(tmp.name) - 1] = 0;
countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids; countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
newinfo = vmalloc(sizeof(*newinfo) + countersize); newinfo = vmalloc(sizeof(*newinfo) + countersize);
if (!newinfo) if (!newinfo)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment