| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <lsq.1407170912.630009472@decadent.org.uk> Date: Mon, 04 Aug 2014 17:48:32 +0100 From: Ben Hutchings <ben@...adent.org.uk> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org CC: akpm@...ux-foundation.org, "Pablo Neira Ayuso" <pablo@...filter.org>, "Mathias Krause" <minipli@...glemail.com> Subject: [PATCH 3.2 67/94] netfilter: ipt_ULOG: fix info leaks 3.2.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause <minipli@...glemail.com> commit 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 upstream. The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Signed-off-by: Mathias Krause <minipli@...glemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@...adent.org.uk> --- net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c @@ -202,6 +202,7 @@ static void ipt_ulog_packet(unsigned int ub->qlen++; pm = NLMSG_DATA(nlh); + memset(pm, 0, sizeof(*pm)); /* We might not have a timestamp, get one */ if (skb->tstamp.tv64 == 0) @@ -218,8 +219,6 @@ static void ipt_ulog_packet(unsigned int strncpy(pm->prefix, prefix, sizeof(pm->prefix)); else if (loginfo->prefix[0] != '\0') strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); - else - *(pm->prefix) = '\0'; if (in && in->hard_header_len > 0 && skb->mac_header != skb->network_header && @@ -231,13 +230,9 @@ static void ipt_ulog_packet(unsigned int if (in) strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); - else - pm->indev_name[0] = '\0'; if (out) strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); - else - pm->outdev_name[0] = '\0'; /* copy_len <= skb->len, so can't fail. */ if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists