| From: Mathias Krause <minipli@googlemail.com> |
| Date: Mon, 30 Sep 2013 22:05:08 +0200 |
| Subject: netfilter: ipt_ULOG: fix info leaks |
| |
| commit 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 upstream. |
| |
| The ulog messages leak heap bytes by the means of padding bytes and |
| incompletely filled string arrays. Fix those by memset(0)'ing the |
| whole struct before filling it. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| [bwh: Backported to 3.2: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/ipv4/netfilter/ipt_ULOG.c | 7 +------ |
| 1 file changed, 1 insertion(+), 6 deletions(-) |
| |
| --- a/net/ipv4/netfilter/ipt_ULOG.c |
| +++ b/net/ipv4/netfilter/ipt_ULOG.c |
| @@ -202,6 +202,7 @@ static void ipt_ulog_packet(unsigned int |
| ub->qlen++; |
| |
| pm = NLMSG_DATA(nlh); |
| + memset(pm, 0, sizeof(*pm)); |
| |
| /* We might not have a timestamp, get one */ |
| if (skb->tstamp.tv64 == 0) |
| @@ -218,8 +219,6 @@ static void ipt_ulog_packet(unsigned int |
| strncpy(pm->prefix, prefix, sizeof(pm->prefix)); |
| else if (loginfo->prefix[0] != '\0') |
| strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); |
| - else |
| - *(pm->prefix) = '\0'; |
| |
| if (in && in->hard_header_len > 0 && |
| skb->mac_header != skb->network_header && |
| @@ -231,13 +230,9 @@ static void ipt_ulog_packet(unsigned int |
| |
| if (in) |
| strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); |
| - else |
| - pm->indev_name[0] = '\0'; |
| |
| if (out) |
| strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); |
| - else |
| - pm->outdev_name[0] = '\0'; |
| |
| /* copy_len <= skb->len, so can't fail. */ |
| if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) |