| From 280f1015075daebfd9a77e56cbe1620e045ea05d Mon Sep 17 00:00:00 2001 |
| From: Vasiliy Kulikov <segoon@openwall.com> |
| Date: Sun, 20 Mar 2011 15:42:52 +0100 |
| Subject: [PATCH] netfilter: ipt_CLUSTERIP: fix buffer overflow |
| |
| commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream. |
| |
| 'buffer' string is copied from userspace. It is not checked whether it is |
| zero terminated. This may lead to overflow inside of simple_strtoul(). |
| Changli Gao suggested to copy not more than user supplied 'size' bytes. |
| |
| It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are |
| root writable only by default, however, on some setups permissions might be |
| relaxed to e.g. network admin user. |
| |
| Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> |
| Acked-by: Changli Gao <xiaosuo@gmail.com> |
| Signed-off-by: Patrick McHardy <kaber@trash.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c |
| index ab82840..e8bd977 100644 |
| --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c |
| +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c |
| @@ -663,8 +663,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input, |
| char buffer[PROC_WRITELEN+1]; |
| unsigned long nodenum; |
| |
| - if (copy_from_user(buffer, input, PROC_WRITELEN)) |
| + if (size > PROC_WRITELEN) |
| + return -EIO; |
| + if (copy_from_user(buffer, input, size)) |
| return -EFAULT; |
| + buffer[size] = 0; |
| |
| if (*buffer == '+') { |
| nodenum = simple_strtoul(buffer+1, NULL, 10); |
| -- |
| 1.7.4.4 |
| |