Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-11 16:29:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

netfilter: ipt_CLUSTERIP: fix buffer overflow

Browse Source 
'buffer' string is copied from userspace.  It is not checked whether it is
zero terminated.  This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
Vasiliy Kulikov 2011-03-20 15:42:52 +01:00 committed by Patrick McHardy
parent db856674ac
commit 961ed183a9
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
net/ipv4/netfilter/ipt_CLUSTERIP.c
View File

@ -664,8 +664,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
char buffer[PROC_WRITELEN+1]; char buffer[PROC_WRITELEN+1];
unsigned long nodenum; unsigned long nodenum;
if (copy_from_user(buffer, input, PROC_WRITELEN)) if (size > PROC_WRITELEN)
return -EIO;
if (copy_from_user(buffer, input, size))
return -EFAULT; return -EFAULT;
buffer[size] = 0;
if (*buffer == '+') { if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10); nodenum = simple_strtoul(buffer+1, NULL, 10);