Skip to content

Commit

Permalink
bridge: netfilter: fix information leak
Browse files Browse the repository at this point in the history 
Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
  • Loading branch information
Vasiliy Kulikov authored and Patrick McHardy committed Feb 14, 2011
1 parent 44bd4de commit d846f71
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/bridge/netfilter/ebtables.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;

tmp.name[sizeof(tmp.name) - 1] = 0;

countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
newinfo = vmalloc(sizeof(*newinfo) + countersize);
if (!newinfo)
Expand Down

0 comments on commit d846f71

Please sign in to comment.