summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-03-20 15:42:52 +0100
committerPatrick McHardy <kaber@trash.net>2011-03-20 15:42:52 +0100
commit961ed183a9fd080cf306c659b8736007e44065a5 (patch)
tree7bf0a65c184a2c4fc0571ff9af8ce633efc73bcf /net
parentdb856674ac69e31946e56085239757cca3f7655f (diff)
downloadlwn-961ed183a9fd080cf306c659b8736007e44065a5.tar.gz
lwn-961ed183a9fd080cf306c659b8736007e44065a5.zip
netfilter: ipt_CLUSTERIP: fix buffer overflow
'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 403ca57f6011..d609ac3cb9a4 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -664,8 +664,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
char buffer[PROC_WRITELEN+1];
unsigned long nodenum;
- if (copy_from_user(buffer, input, PROC_WRITELEN))
+ if (size > PROC_WRITELEN)
+ return -EIO;
+ if (copy_from_user(buffer, input, size))
return -EFAULT;
+ buffer[size] = 0;
if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10);