This at least needs CAP_NET_ADMIN.It is already checked in do_ip6t_set_ctl(). Otherwise anyone could
On Thu, 16 Dec 2004, Bryan Fulton wrote:
////////////////////////////////////////////////////////
// 3: /net/ipv6/netfilter/ip6_tables.c::do_replace //
////////////////////////////////////////////////////////
- tainted unsigned scalar tmp.num_counters multiplied and passed to
vmalloc (1161) and memset (1166) which could overflow or be too large
Call to function "copy_from_user" TAINTS argument "tmp"
1143 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
1144 return -EFAULT;
...
TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
sink.
1161 counters = vmalloc(tmp.num_counters * sizeof(struct
ip6t_counters));
1162 if (!counters) {
1163 ret = -ENOMEM;
1164 goto free_newinfo;
1165 }
TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
sink.
1166 memset(counters, 0, tmp.num_counters * sizeof(struct
ip6t_counters));