[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1299780740-32652-1-git-send-email-segoon@openwall.com>
Date: Thu, 10 Mar 2011 21:12:19 +0300
From: Vasiliy Kulikov <segoon@...nwall.com>
To: linux-kernel@...r.kernel.org
Cc: security@...nel.org, Patrick McHardy <kaber@...sh.net>,
"David S. Miller" <davem@...emloft.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
James Morris <jmorris@...ei.org>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org,
coreteam@...filter.org, netdev@...r.kernel.org
Subject: [PATCH] ipv4: netfilter: ipt_CLUSTERIP: fix buffer overflow
buffer string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.
Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>
---
Compile tested.
net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 403ca57..7aabf9a 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -666,6 +666,7 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
if (copy_from_user(buffer, input, PROC_WRITELEN))
return -EFAULT;
+ buffer[sizeof(buffer)-1] = 0;
if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10);
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists