releases/3.2.62/netfilter-ipt_ulog-fix-info-leaks.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Mathias Krause <minipli@googlemail.com>
 Date: Mon, 30 Sep 2013 22:05:08 +0200
 Subject: netfilter: ipt_ULOG: fix info leaks

 commit 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 upstream.

 The ulog messages leak heap bytes by the means of padding bytes and
 incompletely filled string arrays. Fix those by memset(0)'ing the
 whole struct before filling it.

 Signed-off-by: Mathias Krause <minipli@googlemail.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 [bwh: Backported to 3.2: adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  net/ipv4/netfilter/ipt_ULOG.c | 7 +------
  1 file changed, 1 insertion(+), 6 deletions(-)

 --- a/net/ipv4/netfilter/ipt_ULOG.c
 +++ b/net/ipv4/netfilter/ipt_ULOG.c
 @@ -202,6 +202,7 @@ static void ipt_ulog_packet(unsigned int
  	ub->qlen++;

  	pm = NLMSG_DATA(nlh);
 +	memset(pm, 0, sizeof(*pm));

  	/* We might not have a timestamp, get one */
  	if (skb->tstamp.tv64 == 0)
 @@ -218,8 +219,6 @@ static void ipt_ulog_packet(unsigned int
  		strncpy(pm->prefix, prefix, sizeof(pm->prefix));
  	else if (loginfo->prefix[0] != '\0')
  		strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
 -	else
 -		*(pm->prefix) = '\0';

  	if (in && in->hard_header_len > 0 &&
  	    skb->mac_header != skb->network_header &&
 @@ -231,13 +230,9 @@ static void ipt_ulog_packet(unsigned int

  	if (in)
  		strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
 -	else
 -		pm->indev_name[0] = '\0';

  	if (out)
  		strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
 -	else
 -		pm->outdev_name[0] = '\0';

  	/* copy_len <= skb->len, so can't fail. */
  	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
	From: Mathias Krause <minipli@googlemail.com>
	Date: Mon, 30 Sep 2013 22:05:08 +0200
	Subject: netfilter: ipt_ULOG: fix info leaks

	commit 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 upstream.

	The ulog messages leak heap bytes by the means of padding bytes and
	incompletely filled string arrays. Fix those by memset(0)'ing the
	whole struct before filling it.

	Signed-off-by: Mathias Krause <minipli@googlemail.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	[bwh: Backported to 3.2: adjust context]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	net/ipv4/netfilter/ipt_ULOG.c \| 7 +------
	1 file changed, 1 insertion(+), 6 deletions(-)

	--- a/net/ipv4/netfilter/ipt_ULOG.c
	+++ b/net/ipv4/netfilter/ipt_ULOG.c
	@@ -202,6 +202,7 @@ static void ipt_ulog_packet(unsigned int
	ub->qlen++;

	pm = NLMSG_DATA(nlh);
	+ memset(pm, 0, sizeof(*pm));

	/* We might not have a timestamp, get one */
	if (skb->tstamp.tv64 == 0)
	@@ -218,8 +219,6 @@ static void ipt_ulog_packet(unsigned int
	strncpy(pm->prefix, prefix, sizeof(pm->prefix));
	else if (loginfo->prefix[0] != '\0')
	strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
	- else
	- *(pm->prefix) = '\0';

	if (in && in->hard_header_len > 0 &&
	skb->mac_header != skb->network_header &&
	@@ -231,13 +230,9 @@ static void ipt_ulog_packet(unsigned int

	if (in)
	strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
	- else
	- pm->indev_name[0] = '\0';

	if (out)
	strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
	- else
	- pm->outdev_name[0] = '\0';

	/* copy_len <= skb->len, so can't fail. */
	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)