commit 961ed183a9fd080cf306c659b8736007e44065a5 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

netfilter: ipt_CLUSTERIP: fix buffer overflow

'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by Vasiliy Kulikov and committed by Patrick McHardy 15 years ago 961ed183 db856674

+4 -1

1 changed file

expand all

unified split

net

ipv4

netfilter

ipt_CLUSTERIP.c

+4 -1

net/ipv4/netfilter/ipt_CLUSTERIP.c

··· 664 char buffer[PROC_WRITELEN+1]; 665 unsigned long nodenum; 666 667 - if (copy_from_user(buffer, input, PROC_WRITELEN)) 668 return -EFAULT; 669 670 if (*buffer == '+') { 671 nodenum = simple_strtoul(buffer+1, NULL, 10);

··· 664 char buffer[PROC_WRITELEN+1]; 665 unsigned long nodenum; 666 667 + if (size > PROC_WRITELEN) 668 + return -EIO; 669 + if (copy_from_user(buffer, input, size)) 670 return -EFAULT; 671 + buffer[size] = 0; 672 673 if (*buffer == '+') { 674 nodenum = simple_strtoul(buffer+1, NULL, 10);