[PATCH 0/2] netlink heap info leak fixes

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] netlink heap info leak fixes
@ 2013-09-30 20:05 Mathias Krause
  2013-09-30 20:05 ` [PATCH 1/2] netfilter: ebt_ulog: fix info leaks Mathias Krause
  2013-09-30 20:05 ` [PATCH 2/2] netfilter: ipt_ULOG: " Mathias Krause
  0 siblings, 2 replies; 5+ messages in thread
From: Mathias Krause @ 2013-09-30 20:05 UTC (permalink / raw)
  To: netfilter-devel
  Cc: Mathias Krause, Pablo Neira Ayuso, Patrick McHardy,
	Jozsef Kadlecsik

This series fixes a few netlink related heap info leaks.

All probably material for stable (ebt_ulog: v2.6.11+, ipt_ULOG: v2.5.2.4+).

Please apply!


Mathias Krause (2):
  netfilter: ebt_ulog: fix info leaks
  netfilter: ipt_ULOG: fix info leaks

 net/bridge/netfilter/ebt_ulog.c |    9 +++------
 net/ipv4/netfilter/ipt_ULOG.c   |    7 +------
 2 files changed, 4 insertions(+), 12 deletions(-)

-- 
1.7.10.4


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
  2013-09-30 20:05 [PATCH 0/2] netlink heap info leak fixes Mathias Krause
@ 2013-09-30 20:05 ` Mathias Krause
  2013-10-11  8:54   ` Pablo Neira Ayuso
  2013-09-30 20:05 ` [PATCH 2/2] netfilter: ipt_ULOG: " Mathias Krause
  1 sibling, 1 reply; 5+ messages in thread
From: Mathias Krause @ 2013-09-30 20:05 UTC (permalink / raw)
  To: netfilter-devel
  Cc: Mathias Krause, Pablo Neira Ayuso, Patrick McHardy,
	Jozsef Kadlecsik, Bart De Schuymer

The ulog messages leak heap bytes by the means of padding bytes and
incompletely filled string arrays. Fix those by memset(0)'ing the
whole struct before filling it.

Cc: Bart De Schuymer <bart.de.schuymer@pandora.be>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
 net/bridge/netfilter/ebt_ulog.c |    9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 5180938..7c470c3 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -181,6 +181,7 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
 	ub->qlen++;
 
 	pm = nlmsg_data(nlh);
+	memset(pm, 0, sizeof(*pm));
 
 	/* Fill in the ulog data */
 	pm->version = EBT_ULOG_VERSION;
@@ -193,8 +194,6 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
 	pm->hook = hooknr;
 	if (uloginfo->prefix != NULL)
 		strcpy(pm->prefix, uloginfo->prefix);
-	else
-		*(pm->prefix) = '\0';
 
 	if (in) {
 		strcpy(pm->physindev, in->name);
@@ -204,16 +203,14 @@ static void ebt_ulog_packet(struct net *net, unsigned int hooknr,
 			strcpy(pm->indev, br_port_get_rcu(in)->br->dev->name);
 		else
 			strcpy(pm->indev, in->name);
-	} else
-		pm->indev[0] = pm->physindev[0] = '\0';
+	}
 
 	if (out) {
 		/* If out exists, then out is a bridge port */
 		strcpy(pm->physoutdev, out->name);
 		/* rcu_read_lock()ed by nf_hook_slow */
 		strcpy(pm->outdev, br_port_get_rcu(out)->br->dev->name);
-	} else
-		pm->outdev[0] = pm->physoutdev[0] = '\0';
+	}
 
 	if (skb_copy_bits(skb, -ETH_HLEN, pm->data, copy_len) < 0)
 		BUG();
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks
  2013-09-30 20:05 ` [PATCH 1/2] netfilter: ebt_ulog: fix info leaks Mathias Krause
@ 2013-10-11  8:54   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-10-11  8:54 UTC (permalink / raw)
  To: Mathias Krause
  Cc: netfilter-devel, Patrick McHardy, Jozsef Kadlecsik,
	Bart De Schuymer

On Mon, Sep 30, 2013 at 10:05:07PM +0200, Mathias Krause wrote:
> The ulog messages leak heap bytes by the means of padding bytes and
> incompletely filled string arrays. Fix those by memset(0)'ing the
> whole struct before filling it.

Applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
  2013-09-30 20:05 [PATCH 0/2] netlink heap info leak fixes Mathias Krause
  2013-09-30 20:05 ` [PATCH 1/2] netfilter: ebt_ulog: fix info leaks Mathias Krause
@ 2013-09-30 20:05 ` Mathias Krause
  2013-10-11  8:54   ` Pablo Neira Ayuso
  1 sibling, 1 reply; 5+ messages in thread
From: Mathias Krause @ 2013-09-30 20:05 UTC (permalink / raw)
  To: netfilter-devel
  Cc: Mathias Krause, Pablo Neira Ayuso, Patrick McHardy,
	Jozsef Kadlecsik

The ulog messages leak heap bytes by the means of padding bytes and
incompletely filled string arrays. Fix those by memset(0)'ing the
whole struct before filling it.

Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
 net/ipv4/netfilter/ipt_ULOG.c |    7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index cbc2215..9cb993c 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net,
 	ub->qlen++;
 
 	pm = nlmsg_data(nlh);
+	memset(pm, 0, sizeof(*pm));
 
 	/* We might not have a timestamp, get one */
 	if (skb->tstamp.tv64 == 0)
@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net,
 	}
 	else if (loginfo->prefix[0] != '\0')
 		strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
-	else
-		*(pm->prefix) = '\0';
 
 	if (in && in->hard_header_len > 0 &&
 	    skb->mac_header != skb->network_header &&
@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net,
 
 	if (in)
 		strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
-	else
-		pm->indev_name[0] = '\0';
 
 	if (out)
 		strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
-	else
-		pm->outdev_name[0] = '\0';
 
 	/* copy_len <= skb->len, so can't fail. */
 	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks
  2013-09-30 20:05 ` [PATCH 2/2] netfilter: ipt_ULOG: " Mathias Krause
@ 2013-10-11  8:54   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2013-10-11  8:54 UTC (permalink / raw)
  To: Mathias Krause; +Cc: netfilter-devel, Patrick McHardy, Jozsef Kadlecsik

On Mon, Sep 30, 2013 at 10:05:08PM +0200, Mathias Krause wrote:
> The ulog messages leak heap bytes by the means of padding bytes and
> incompletely filled string arrays. Fix those by memset(0)'ing the
> whole struct before filling it.

Applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-10-11  8:55 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-30 20:05 [PATCH 0/2] netlink heap info leak fixes Mathias Krause
2013-09-30 20:05 ` [PATCH 1/2] netfilter: ebt_ulog: fix info leaks Mathias Krause
2013-10-11  8:54   ` Pablo Neira Ayuso
2013-09-30 20:05 ` [PATCH 2/2] netfilter: ipt_ULOG: " Mathias Krause
2013-10-11  8:54   ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).