bridge: netfilter: fix information leak

commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
author: Vasiliy Kulikov <segoon@openwall.com> 2011-02-14 16:49:23 +0100
committer: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-06-26 12:47:20 -0400
commit: 41c6364db6028e2776250be12961b30f4a2ffbf9 (patch)
tree: 00ec4109addb2b10f818ee59b3a7f96d201d6596
parent: 26b6a59e8b70435996c86f705dfb7f66124f5b1e (diff)
download: linux-rt-41c6364db6028e2776250be12961b30f4a2ffbf9.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f0865fd1e3ec..2b8c983eeab6 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1112,6 +1112,8 @@ static int do_replace(struct net *net, const void __user *user,
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)
author	Vasiliy Kulikov <segoon@openwall.com>	2011-02-14 16:49:23 +0100
committer	Paul Gortmaker <paul.gortmaker@windriver.com>	2011-06-26 12:47:20 -0400
commit	41c6364db6028e2776250be12961b30f4a2ffbf9 (patch)
tree	00ec4109addb2b10f818ee59b3a7f96d201d6596
parent	26b6a59e8b70435996c86f705dfb7f66124f5b1e (diff)
download	linux-rt-41c6364db6028e2776250be12961b30f4a2ffbf9.tar.gz