bridge: netfilter: fix information leak

commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream. Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Vasiliy Kulikov <segoon@openwall.com> 2011-02-14 16:49:23 +0100
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-04-14 16:53:01 -0700
commit: 9dc744817dd4c3c52b714a7eea73a8aeba18d1fd (patch)
tree: 6b58cbe8632272f7a575da32319f84f225d9671f
parent: a578aadd26d69db27e80f01fbb88a7b91d4c7500 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0b7f262cd14..d73d47f2a4a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -979,6 +979,8 @@ static int do_replace(struct net *net, void __user *user, unsigned int len)
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)
author	Vasiliy Kulikov <segoon@openwall.com>	2011-02-14 16:49:23 +0100
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-04-14 16:53:01 -0700
commit	9dc744817dd4c3c52b714a7eea73a8aeba18d1fd (patch)
tree	6b58cbe8632272f7a575da32319f84f225d9671f
parent	a578aadd26d69db27e80f01fbb88a7b91d4c7500 (diff)