linux/net/ipv6
Vasiliy Kulikov 6a8ab06077 ipv6: netfilter: ip6_tables: fix infoleak to userspace
Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first bug was introduced before the git epoch;  the second was
introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-03-15 13:37:13 +01:00
..
netfilter ipv6: netfilter: ip6_tables: fix infoleak to userspace 2011-03-15 13:37:13 +01:00
addrconf_core.c ipv6: Remove IPV6_ADDR_RESERVED 2010-02-26 03:59:07 -08:00
addrconf.c ipv6: Silence privacy extensions initialization 2011-01-18 16:13:49 -08:00
addrlabel.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-09-27 01:03:03 -07:00
af_inet6.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-01-13 10:05:56 -08:00
ah6.c ah: reload pointers to skb data after calling skb_cow_data() 2011-01-11 14:03:10 -08:00
anycast.c net-next: remove useless union keyword 2010-06-10 23:31:35 -07:00
datagram.c tproxy: added tproxy sockopt interface in the IPV6 layer 2010-10-21 16:08:28 +02:00
esp6.c xfrm: Traffic Flow Confidentiality for IPv6 ESP 2010-12-10 14:43:59 -08:00
exthdrs_core.c net: return operator cleanup 2010-09-23 14:33:39 -07:00
exthdrs.c ipv6: avoid two atomics in ipv6_rthdr_rcv() 2010-06-14 23:13:06 -07:00
fib6_rules.c fib6: use FIB_LOOKUP_NOREF in fib6_rule_lookup() 2010-10-16 11:13:21 -07:00
icmp.c ipv6: fix ICMP6_MIB_OUTERRORS 2010-06-09 18:39:27 -07:00
inet6_connection_sock.c tcp: disallow bind() to reuse addr/port 2011-01-11 14:03:07 -08:00
inet6_hashtables.c tcp: Fix a connect() race with timewait sockets 2009-12-08 20:17:51 -08:00
ip6_fib.c fib: avoid false sharing on fib_table_hash 2010-10-16 11:13:23 -07:00
ip6_flowlabel.c IPv6: Add dontfrag argument to relevant functions 2010-04-23 23:35:28 -07:00
ip6_input.c Merge branch 'master' of /repos/git/net-next-2.6 2010-04-20 16:02:01 +02:00
ip6_output.c inet6: prevent network storms caused by linux IPv6 routers 2011-01-12 18:51:55 -08:00
ip6_tunnel.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
ip6mr.c net: use the macros defined for the members of flowi 2010-11-17 12:27:45 -08:00
ipcomp6.c xfrm: SA lookups signature with mark 2010-02-22 16:20:22 -08:00
ipv6_sockglue.c tproxy: Add missing CAP_NET_ADMIN check to ipv6 side 2010-10-24 16:07:50 -07:00
Kconfig ipv6: ip6mr: support multiple tables 2010-05-11 14:40:55 +02:00
Makefile [IPV6] MROUTE: Support multicast forwarding. 2008-04-05 22:33:38 +09:00
mcast.c ipv6: mcast: RCU conversion 2010-11-24 11:16:42 -08:00
mip6.c IPv6: fix CoA check in RH2 input handler (mip6_rthdr_input()) 2010-07-18 15:04:33 -07:00
ndisc.c net: Abstract away all dst_entry metrics accesses. 2010-12-09 10:46:36 -08:00
netfilter.c net: use the macros defined for the members of flowi 2010-11-17 12:27:45 -08:00
proc.c ipv6/udp: report SndbufErrors and RcvbufErrors 2010-10-30 16:17:23 -07:00
protocol.c net: add __rcu annotations to protocol 2010-10-27 11:37:31 -07:00
raw.c net: add __rcu annotation to sk_filter 2010-10-25 14:18:28 -07:00
reassembly.c ipv6: Prepare the tree for un-inlined jhash. 2010-11-28 11:26:21 -08:00
route.c ipv6: fib6_ifdown cleanup 2010-12-18 22:01:16 -08:00
sit.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-08 13:47:38 -08:00
syncookies.c syncookies: add support for ECN 2010-06-26 22:00:03 -07:00
sysctl_net_ipv6.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
tcp_ipv6.c net: Abstract default ADVMSS behind an accessor. 2010-12-13 12:52:14 -08:00
tunnel6.c tunnels: add _rcu annotations 2010-10-25 13:09:45 -07:00
udp_impl.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
udp.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-17 12:27:22 -08:00
udplite.c net: fix nulls list corruptions in sk_prot_alloc 2010-12-16 14:26:56 -08:00
xfrm6_input.c netfilter: ipv6: use NFPROTO values for NF_HOOK invocation 2010-03-25 16:00:49 +01:00
xfrm6_mode_beet.c ipsec: Interfamily IPSec BEET, ipv4-inner ipv6-outer 2008-08-06 02:40:25 -07:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c ipv6: Use ip6_dst_hoplimit() instead of direct dst_metric() calls. 2010-12-12 21:14:46 -08:00
xfrm6_output.c ipv6: Fragment locally generated tunnel-mode IPSec6 packets as needed. 2010-12-19 20:22:23 -08:00
xfrm6_policy.c net dst: use a percpu_counter to track entries 2010-10-11 13:06:53 -07:00
xfrm6_state.c xfrm: Allow different selector family in temporary state 2010-09-20 11:11:38 -07:00
xfrm6_tunnel.c xfrm6: make xfrm6_tunnel_free_spi local 2010-10-21 03:09:45 -07:00