summaryrefslogtreecommitdiff
path: root/net/bridge/netfilter
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-02-14 15:49:23 (GMT)
committerPatrick McHardy <kaber@trash.net>2011-02-14 15:49:23 (GMT)
commitd846f71195d57b0bbb143382647c2c6638b04c5a (patch)
tree67515bc845a399c77df22dd859cabdb17dcd70ff /net/bridge/netfilter
parent44bd4de9c2270b22c3c898310102bc6be9ed2978 (diff)
downloadlinux-fsl-qoriq-d846f71195d57b0bbb143382647c2c6638b04c5a.tar.xz
bridge: netfilter: fix information leak
Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/bridge/netfilter')
-rw-r--r--net/bridge/netfilter/ebtables.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5f1825d..893669c 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ tmp.name[sizeof(tmp.name) - 1] = 0;
+
countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
newinfo = vmalloc(sizeof(*newinfo) + countersize);
if (!newinfo)