[PATCH] [32/106] netfilter: ipt_CLUSTERIP: fix buffer overflow

From: Andi Kleen
Date: Tue Apr 26 2011 - 17:32:13 EST


2.6.35-longterm review patch. If anyone has any objections, please let me know.

------------------
From: Vasiliy Kulikov <segoon@xxxxxxxxxxxx>

commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.

'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@xxxxxxxxxxxx>
Acked-by: Changli Gao <xiaosuo@xxxxxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
Signed-off-by: Andi Kleen <ak@xxxxxxxxxxxxxxx>

---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Index: linux-2.6.35.y/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.35.y.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.35.y/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -663,8 +663,11 @@ static ssize_t clusterip_proc_write(stru
char buffer[PROC_WRITELEN+1];
unsigned long nodenum;

- if (copy_from_user(buffer, input, PROC_WRITELEN))
+ if (size > PROC_WRITELEN)
+ return -EIO;
+ if (copy_from_user(buffer, input, size))
return -EFAULT;
+ buffer[size] = 0;

if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/