[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210111130035.755141173@linuxfoundation.org>
Date: Mon, 11 Jan 2021 14:01:22 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org,
syzbot+e86f7c428c8c50db65b4@...kaller.appspotmail.com,
Florian Westphal <fw@...len.de>,
Pablo Neira Ayuso <pablo@...filter.org>
Subject: [PATCH 4.9 44/45] netfilter: xt_RATEEST: reject non-null terminated string from userspace
From: Florian Westphal <fw@...len.de>
commit 6cb56218ad9e580e519dcd23bfb3db08d8692e5a upstream.
syzbot reports:
detected buffer overflow in strlen
[..]
Call Trace:
strlen include/linux/string.h:325 [inline]
strlcpy include/linux/string.h:348 [inline]
xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143
strlcpy assumes src is a c-string. Check info->name before its used.
Reported-by: syzbot+e86f7c428c8c50db65b4@...kaller.appspotmail.com
Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target")
Signed-off-by: Florian Westphal <fw@...len.de>
Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
net/netfilter/xt_RATEEST.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -106,6 +106,9 @@ static int xt_rateest_tg_checkentry(cons
} cfg;
int ret;
+ if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name))
+ return -ENAMETOOLONG;
+
net_get_random_once(&jhash_rnd, sizeof(jhash_rnd));
mutex_lock(&xt_rateest_mutex);
Powered by blists - more mailing lists