bridge: netfilter: fix information leak

Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Vasiliy Kulikov <segoon@openwall.com> 2011-02-14 16:49:23 +0100
committer: Patrick McHardy <kaber@trash.net> 2011-02-14 16:49:23 +0100
commit: d846f71195d57b0bbb143382647c2c6638b04c5a (patch)
tree: 67515bc845a399c77df22dd859cabdb17dcd70ff
parent: 44bd4de9c2270b22c3c898310102bc6be9ed2978 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5f1825df9dc..893669caa8d 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)
author	Vasiliy Kulikov <segoon@openwall.com>	2011-02-14 16:49:23 +0100
committer	Patrick McHardy <kaber@trash.net>	2011-02-14 16:49:23 +0100
commit	d846f71195d57b0bbb143382647c2c6638b04c5a (patch)
tree	67515bc845a399c77df22dd859cabdb17dcd70ff
parent	44bd4de9c2270b22c3c898310102bc6be9ed2978 (diff)