[PATCH] bridge: netfilter: fix information leak |
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: linux-kernel@xxxxxxxxxxxxxxx
- Subject: [PATCH] bridge: netfilter: fix information leak
- From: Vasiliy Kulikov <segoon@xxxxxxxxxxxx>
- Date: Mon, 14 Feb 2011 13:54:35 +0300
- Cc: security@xxxxxxxxxx, bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx, netfilter@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, ebtables-user@xxxxxxxxxxxxxxxxxxxxx, "David S. Miller" <davem@xxxxxxxxxxxxx>, Bart De Schuymer <bart.de.schuymer@xxxxxxxxxx>, netfilter-devel@xxxxxxxxxxxxxxx, ebtables-devel@xxxxxxxxxxxxxxxxxxxxx
Struct tmp is copied from userspace. It is not checked whether the "name"
field is NULL terminated. This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen by all userspace
processes.
Signed-off-by: Vasiliy Kulikov <segoon@xxxxxxxxxxxx>
---
Compile tested.
net/bridge/netfilter/ebtables.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5f1825d..1ea820b 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name)-1] = 0;
+
countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
newinfo = vmalloc(sizeof(*newinfo) + countersize);
if (!newinfo)
--
1.7.0.4
_______________________________________________
Bridge mailing list
Bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/bridge
[Netdev]
[AoE Tools]
[Linux Wireless]
[Kernel Newbies]
[Security]
[Linux for Hams]
[Netfilter]
[Bugtraq]
[Photo]
[Yosemite]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux RAID]
[Linux Admin]
[Samba]
[Video 4 Linux]
[Linux Resources]
