| commit | 8fd563c4a38f2a9d3cec689add4294cbc18a1dad | |
| author | Vasiliy Kulikov <segoon@openwall.com> | |
| Sun, 20 Mar 2011 14:42:52 +0000 (20 15:42 +0100) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Thu, 14 Apr 2011 23:53:36 +0000 (14 16:53 -0700) | ||
| tree | 884f6525da5029a369154cf7731aa94c80a0cd98 | treesnapshot (tar.gz zip) |
| parent | bf9717776581e3000f899fd0172d1eb448ab2679 | commitdiff |
netfilter: ipt_CLUSTERIP: fix buffer overflow
commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.
'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.
'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| net/ipv4/netfilter/ipt_CLUSTERIP.c | diffblobblamehistory |