forked from Minki/linux
netfilter: ipt_CLUSTERIP: fix buffer overflow
'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
db856674ac
commit
961ed183a9
@ -664,8 +664,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
|
||||
char buffer[PROC_WRITELEN+1];
|
||||
unsigned long nodenum;
|
||||
|
||||
if (copy_from_user(buffer, input, PROC_WRITELEN))
|
||||
if (size > PROC_WRITELEN)
|
||||
return -EIO;
|
||||
if (copy_from_user(buffer, input, size))
|
||||
return -EFAULT;
|
||||
buffer[size] = 0;
|
||||
|
||||
if (*buffer == '+') {
|
||||
nodenum = simple_strtoul(buffer+1, NULL, 10);
|
||||
|
Loading…
Reference in New Issue
Block a user