From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 01/15] netfilter: xt_CT: Reject the non-null terminated string from user space
Date: Mon, 11 Jun 2018 11:22:19 +0200 [thread overview]
Message-ID: <20180611092233.3219-2-pablo@netfilter.org> (raw)
In-Reply-To: <20180611092233.3219-1-pablo@netfilter.org>
From: Gao Feng <gfree.wind@vip.163.com>
The helper and timeout strings are from user-space, we need to make
sure they are null terminated. If not, evil user could make kernel
read the unexpected memory, even print it when fail to find by the
following codes.
pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_CT.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 8790190c6feb..03b9a50ec93b 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -245,12 +245,22 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
}
if (info->helper[0]) {
+ if (strnlen(info->helper, sizeof(info->helper)) == sizeof(info->helper)) {
+ ret = -ENAMETOOLONG;
+ goto err3;
+ }
+
ret = xt_ct_set_helper(ct, info->helper, par);
if (ret < 0)
goto err3;
}
if (info->timeout[0]) {
+ if (strnlen(info->timeout, sizeof(info->timeout)) == sizeof(info->timeout)) {
+ ret = -ENAMETOOLONG;
+ goto err4;
+ }
+
ret = xt_ct_set_timeout(ct, par, info->timeout);
if (ret < 0)
goto err4;
--
2.11.0
next prev parent reply other threads:[~2018-06-11 9:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-11 9:22 [PATCH 00/15] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2018-06-11 9:22 ` Pablo Neira Ayuso [this message]
2018-06-11 9:22 ` [PATCH 02/15] netfilter: nf_tables: check msg_type before nft_trans_set(trans) Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 03/15] ipvs: register conntrack hooks for ftp Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 04/15] netfilter: nft_reject_bridge: fix skb allocation size in nft_reject_br_send_v6_unreach Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 05/15] ipvs: fix check on xmit to non-local addresses Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 06/15] netfilter: ebtables: fix compat entry padding Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 07/15] netfilter: xt_set: Check hook mask correctly Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 08/15] netfilter: ipset: List timing out entries with "timeout 1" instead of zero Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 09/15] netfilter: ipset: Limit max timeout value Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 10/15] netfilter: ipset: forbid family for hash:mac sets Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 11/15] netfilter: ebtables: reject non-bridge targets Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 12/15] netfilter: nft_set_rbtree: fix parameter of __nft_rbtree_lookup() Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 13/15] netfilter: nf_conntrack: Increase __IPS_MAX_BIT with new bit IPS_OFFLOAD_BIT Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 14/15] netfilter: x_tables: initialise match/target check parameter struct Pablo Neira Ayuso
2018-06-11 9:22 ` [PATCH 15/15] netfilter: remove include/net/netfilter/nft_dup.h Pablo Neira Ayuso
2018-06-11 23:31 ` [PATCH 00/15] Netfilter/IPVS fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180611092233.3219-2-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).