[PATCH] ipv4: netfilter: ipt_CLUSTERIP: fix buffer overflow

From: Vasiliy Kulikov
Date: Thu Mar 10 2011 - 13:12:32 EST

Next message: Vasiliy Kulikov: "[PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace"
Previous message: Vasiliy Kulikov: "[PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace"
Next in thread: Changli Gao: "Re: [PATCH] ipv4: netfilter: ipt_CLUSTERIP: fix buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

buffer string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().

It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@xxxxxxxxxxxx>
---
Compile tested.

net/ipv4/netfilter/ipt_CLUSTERIP.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 403ca57..7aabf9a 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -666,6 +666,7 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,

if (copy_from_user(buffer, input, PROC_WRITELEN))
return -EFAULT;
+ buffer[sizeof(buffer)-1] = 0;

if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10);
--
1.7.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vasiliy Kulikov: "[PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace"
Previous message: Vasiliy Kulikov: "[PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace"
Next in thread: Changli Gao: "Re: [PATCH] ipv4: netfilter: ipt_CLUSTERIP: fix buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]