summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2013-09-30 22:05:08 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2014-07-06 18:54:15 -0700
commit3ca696839223ed38faeaf9b215b35c91ef6a5811 (patch)
tree79b058a9639649ffecce4987dd70edc1afc3a303 /net
parenta50ea099bbae3f98ba485b04ff07f884f3236adf (diff)
downloadlinux-3.10-3ca696839223ed38faeaf9b215b35c91ef6a5811.tar.gz
linux-3.10-3ca696839223ed38faeaf9b215b35c91ef6a5811.tar.bz2
linux-3.10-3ca696839223ed38faeaf9b215b35c91ef6a5811.zip
netfilter: ipt_ULOG: fix info leaks
commit 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 upstream. The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Jan Tore Morken <jantore@morken.priv.no> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c7
1 files changed, 1 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 32b0e978c8e..f8629c04f35 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net,
ub->qlen++;
pm = nlmsg_data(nlh);
+ memset(pm, 0, sizeof(*pm));
/* We might not have a timestamp, get one */
if (skb->tstamp.tv64 == 0)
@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net,
}
else if (loginfo->prefix[0] != '\0')
strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
- else
- *(pm->prefix) = '\0';
if (in && in->hard_header_len > 0 &&
skb->mac_header != skb->network_header &&
@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net,
if (in)
strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
- else
- pm->indev_name[0] = '\0';
if (out)
strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
- else
- pm->outdev_name[0] = '\0';
/* copy_len <= skb->len, so can't fail. */
if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 09:27:45 +0000