| Message ID | 20110317113229.GA7710@albatros |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | David Miller |
| Headers | show |
On Thu, Mar 17, 2011 at 7:32 PM, Vasiliy Kulikov <segoon@openwall.com> wrote: > 'buffer' string is copied from userspace. It is not checked whether it is > zero terminated. This may lead to overflow inside of simple_strtoul(). > Changli Gao suggested to copy not more than user supplied 'size' bytes. > > It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are > root writable only by default, however, on some setups permissions might be > relaxed to e.g. network admin user. > > Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Changli Gao <xiaosuo@gmail.com>
Am 17.03.2011 13:15, schrieb Changli Gao: > On Thu, Mar 17, 2011 at 7:32 PM, Vasiliy Kulikov <segoon@openwall.com> wrote: >> 'buffer' string is copied from userspace. It is not checked whether it is >> zero terminated. This may lead to overflow inside of simple_strtoul(). >> Changli Gao suggested to copy not more than user supplied 'size' bytes. >> >> It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are >> root writable only by default, however, on some setups permissions might be >> relaxed to e.g. network admin user. >> >> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> > Acked-by: Changli Gao <xiaosuo@gmail.com> > > Applied, thanks everyone. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1e26a48..af7dec6 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -669,8 +669,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input, char buffer[PROC_WRITELEN+1]; unsigned long nodenum; - if (copy_from_user(buffer, input, PROC_WRITELEN)) + if (size > PROC_WRITELEN) + return -EIO; + if (copy_from_user(buffer, input, size)) return -EFAULT; + buffer[size] = 0; if (*buffer == '+') { nodenum = simple_strtoul(buffer+1, NULL, 10);
'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-)