summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-02-14 16:49:23 +0100
committerGreg Kroah-Hartman <gregkh@suse.de>2011-04-14 16:53:32 -0700
commita04a632411960cb96d5b9defa571eb8128999f11 (patch)
treedb9628c8be21ff0935cacdda5def6a8824d3e7e9
parent1fdae7255ced792c46a1b697aa7f27b2f3b4e322 (diff)
downloadlinux-stable-a04a632411960cb96d5b9defa571eb8128999f11.tar.gz
linux-stable-a04a632411960cb96d5b9defa571eb8128999f11.tar.bz2
linux-stable-a04a632411960cb96d5b9defa571eb8128999f11.zip
bridge: netfilter: fix information leak
commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/bridge/netfilter/ebtables.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0b7f262cd148..d73d47f2a4ad 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -979,6 +979,8 @@ static int do_replace(struct net *net, void __user *user, unsigned int len)
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name) - 1] = 0;
+
countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
newinfo = vmalloc(sizeof(*newinfo) + countersize);
if (!newinfo)