diff options
author | Vasiliy Kulikov <segoon@openwall.com> | 2011-03-20 15:42:52 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-04-14 16:53:05 -0700 |
commit | 4bb6a75b2f2df9a8f113b2334577dc732eec7240 (patch) | |
tree | bd4744e82f9d7561bb0af8c3599c81289f8ef2e0 | |
parent | 82ea4c345d3f08b2a2267e84e68f289e66848c99 (diff) |
netfilter: ipt_CLUSTERIP: fix buffer overflow
commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.
'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 40ca2d240ab..b5e6b654f84 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -666,8 +666,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input, struct clusterip_config *c = pde->data; unsigned long nodenum; - if (copy_from_user(buffer, input, PROC_WRITELEN)) + if (size > PROC_WRITELEN) + return -EIO; + if (copy_from_user(buffer, input, size)) return -EFAULT; + buffer[size] = 0; if (*buffer == '+') { nodenum = simple_strtoul(buffer+1, NULL, 10); |