bridge: netfilter: fix information leak

commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Vasiliy Kulikov <segoon@openwall.com> 2011-02-14 16:49:23 +0100
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-04-14 13:02:28 -0700
commit: 1d7b65a52f9bba3af57f1145e18fefff6a8df06a (patch)
tree: 3eaa9d8f9836c4e52bb5ae96b7643c8eb2237e8c /net
parent: a0ef5893ec7ae42f502993f6e4f6e60e6f941ce0 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 16df0532d4b..47acf4a50ef 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)
author	Vasiliy Kulikov <segoon@openwall.com>	2011-02-14 16:49:23 +0100
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-04-14 13:02:28 -0700
commit	1d7b65a52f9bba3af57f1145e18fefff6a8df06a (patch)
tree	3eaa9d8f9836c4e52bb5ae96b7643c8eb2237e8c /net
parent	a0ef5893ec7ae42f502993f6e4f6e60e6f941ce0 (diff)