releases/2.6.30.4/netfilter-nf_log-fix-direct-userspace-memory-access-in-proc-handler.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 249556192859490b6280552d4b877064f9f5ee48 Mon Sep 17 00:00:00 2001
 From: Patrick McHardy <kaber@trash.net>
 Date: Mon, 22 Jun 2009 14:15:30 +0200
 Subject: netfilter: nf_log: fix direct userspace memory access in proc handler

 From: Patrick McHardy <kaber@trash.net>

 commit 249556192859490b6280552d4b877064f9f5ee48 upstream.

 Signed-off-by: Patrick McHardy <kaber@trash.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  net/netfilter/nf_log.c |   16 +++++++++++-----
  1 file changed, 11 insertions(+), 5 deletions(-)

 --- a/net/netfilter/nf_log.c
 +++ b/net/netfilter/nf_log.c
 @@ -47,7 +47,6 @@ int nf_log_register(u_int8_t pf, struct
  	mutex_lock(&nf_log_mutex);

  	if (pf == NFPROTO_UNSPEC) {
 -		int i;
  		for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
  			list_add_tail(&(logger->list[i]), &(nf_loggers_l[i]));
  	} else {
 @@ -216,7 +215,7 @@ static const struct file_operations nflo
  #endif /* PROC_FS */

  #ifdef CONFIG_SYSCTL
 -struct ctl_path nf_log_sysctl_path[] = {
 +static struct ctl_path nf_log_sysctl_path[] = {
  	{ .procname = "net", .ctl_name = CTL_NET, },
  	{ .procname = "netfilter", .ctl_name = NET_NETFILTER, },
  	{ .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, },
 @@ -228,19 +227,26 @@ static struct ctl_table nf_log_sysctl_ta
  static struct ctl_table_header *nf_log_dir_header;

  static int nf_log_proc_dostring(ctl_table *table, int write, struct file *filp,
 -			 void *buffer, size_t *lenp, loff_t *ppos)
 +			 void __user *buffer, size_t *lenp, loff_t *ppos)
  {
  	const struct nf_logger *logger;
 +	char buf[NFLOGGER_NAME_LEN];
 +	size_t size = *lenp;
  	int r = 0;
  	int tindex = (unsigned long)table->extra1;

  	if (write) {
 -		if (!strcmp(buffer, "NONE")) {
 +		if (size > sizeof(buf))
 +			size = sizeof(buf);
 +		if (copy_from_user(buf, buffer, size))
 +			return -EFAULT;
 +
 +		if (!strcmp(buf, "NONE")) {
  			nf_log_unbind_pf(tindex);
  			return 0;
  		}
  		mutex_lock(&nf_log_mutex);
 -		logger = __find_logger(tindex, buffer);
 +		logger = __find_logger(tindex, buf);
  		if (logger == NULL) {
  			mutex_unlock(&nf_log_mutex);
  			return -ENOENT;
	From 249556192859490b6280552d4b877064f9f5ee48 Mon Sep 17 00:00:00 2001
	From: Patrick McHardy <kaber@trash.net>
	Date: Mon, 22 Jun 2009 14:15:30 +0200
	Subject: netfilter: nf_log: fix direct userspace memory access in proc handler

	From: Patrick McHardy <kaber@trash.net>

	commit 249556192859490b6280552d4b877064f9f5ee48 upstream.

	Signed-off-by: Patrick McHardy <kaber@trash.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	net/netfilter/nf_log.c \| 16 +++++++++++-----
	1 file changed, 11 insertions(+), 5 deletions(-)

	--- a/net/netfilter/nf_log.c
	+++ b/net/netfilter/nf_log.c
	@@ -47,7 +47,6 @@ int nf_log_register(u_int8_t pf, struct
	mutex_lock(&nf_log_mutex);

	if (pf == NFPROTO_UNSPEC) {
	- int i;
	for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
	list_add_tail(&(logger->list[i]), &(nf_loggers_l[i]));
	} else {
	@@ -216,7 +215,7 @@ static const struct file_operations nflo
	#endif /* PROC_FS */

	#ifdef CONFIG_SYSCTL
	-struct ctl_path nf_log_sysctl_path[] = {
	+static struct ctl_path nf_log_sysctl_path[] = {
	{ .procname = "net", .ctl_name = CTL_NET, },
	{ .procname = "netfilter", .ctl_name = NET_NETFILTER, },
	{ .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, },
	@@ -228,19 +227,26 @@ static struct ctl_table nf_log_sysctl_ta
	static struct ctl_table_header *nf_log_dir_header;

	static int nf_log_proc_dostring(ctl_table table, int write, struct file filp,
	- void buffer, size_t lenp, loff_t *ppos)
	+ void __user buffer, size_t lenp, loff_t *ppos)
	{
	const struct nf_logger *logger;
	+ char buf[NFLOGGER_NAME_LEN];
	+ size_t size = *lenp;
	int r = 0;
	int tindex = (unsigned long)table->extra1;

	if (write) {
	- if (!strcmp(buffer, "NONE")) {
	+ if (size > sizeof(buf))
	+ size = sizeof(buf);
	+ if (copy_from_user(buf, buffer, size))
	+ return -EFAULT;
	+
	+ if (!strcmp(buf, "NONE")) {
	nf_log_unbind_pf(tindex);
	return 0;
	}
	mutex_lock(&nf_log_mutex);
	- logger = __find_logger(tindex, buffer);
	+ logger = __find_logger(tindex, buf);
	if (logger == NULL) {
	mutex_unlock(&nf_log_mutex);
	return -ENOENT;