From: Patrick McHardy <kaber@trash.net>
To: James Morris <jmorris@namei.org>
Cc: "David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@redhat.com>,
Chris Wright <chrisw@sous-sol.org>
Subject: Re: [PATCH][SECURITY] secmark: nul-terminate secdata
Date: Sat, 29 Jul 2006 03:19:03 +0200 [thread overview]
Message-ID: <44CAB787.8040204@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0607281649440.20690@d.namei>
James Morris wrote:
> The patch below fixes a problem in the iptables SECMARK target, where the
> user-supplied 'selctx' string may not be nul-terminated.
>
>>From initial analysis, it seems that the strlen() called from
> selinux_string_to_sid() could run until it arbitrarily finds a zero, and
> possibly cause a kernel oops before then.
>
> The impact of this appears limited because the operation requires
> CAP_NET_ADMIN, which is essentially always root. Also, the module is not
> yet in wide use.
>
> Please apply.
>
> Note: some other iptables modules which handle strings supplied from
> userspace may require a similar fix (e.g. xt_string looks suspect at first
> glance).
I'll look into these, but it won't be the last of these problems. At the
last netfilter workshop Rusty spent some time figuring out "how many
iptables crashes (triggered by root) can I find in a few minutes", and
it was quite a lot. So far we've hoped for pkttables to make everything
better, but it looks like things like OpenVZ will beat us.
next prev parent reply other threads:[~2006-07-29 1:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-28 21:00 [PATCH][SECURITY] secmark: nul-terminate secdata James Morris
2006-07-29 1:19 ` Patrick McHardy [this message]
2006-07-31 3:47 ` David Miller
2006-08-02 18:28 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44CAB787.8040204@trash.net \
--to=kaber@trash.net \
--cc=chrisw@sous-sol.org \
--cc=davem@davemloft.net \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).