bridge: netfilter: fix information leak Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net>

commit: d846f71195d57b0bbb143382647c2c6638b04c5a [log] [tgz]
author: Vasiliy Kulikov <segoon@openwall.com> Mon Feb 14 16:49:23 2011 +0100
committer: Patrick McHardy <kaber@trash.net> Mon Feb 14 16:49:23 2011 +0100
tree: 67515bc845a399c77df22dd859cabdb17dcd70ff
parent: 44bd4de9c2270b22c3c898310102bc6be9ed2978 [diff] [blame]
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5f1825d..893669c 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c

@@ -1107,6 +1107,8 @@
 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
 		return -ENOMEM;
 
+	tmp.name[sizeof(tmp.name) - 1] = 0;
+
 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
 	if (!newinfo)
commit	d846f71195d57b0bbb143382647c2c6638b04c5a	[log] [tgz]
author	Vasiliy Kulikov <segoon@openwall.com>	Mon Feb 14 16:49:23 2011 +0100
committer	Patrick McHardy <kaber@trash.net>	Mon Feb 14 16:49:23 2011 +0100
tree	67515bc845a399c77df22dd859cabdb17dcd70ff
parent	44bd4de9c2270b22c3c898310102bc6be9ed2978 [diff] [blame]