From: Santosh Nayak <santoshprasadnayak@xxxxxxxxx> While copying to userspace, the size of source is 29byte where as size parametre is 32 byte. Its leaking extra-information from kernel space to user space. Replace EBT_FUNCTION_MAXNAMELEN by XT_EXTENSION_MAXNAMELEN. Signed-off-by: Santosh Nayak <santoshprasadnayak@xxxxxxxxx> --- net/bridge/netfilter/ebtables.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5864cc4..f3fcbd9 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1335,7 +1335,7 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m, const char *base, char __user *ubase) { char __user *hlp = ubase + ((char *)m - base); - if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) + if (copy_to_user(hlp, m->u.match->name, XT_EXTENSION_MAXNAMELEN)) return -EFAULT; return 0; } @@ -1344,7 +1344,7 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w, const char *base, char __user *ubase) { char __user *hlp = ubase + ((char *)w - base); - if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) + if (copy_to_user(hlp , w->u.watcher->name, XT_EXTENSION_MAXNAMELEN)) return -EFAULT; return 0; } @@ -1368,7 +1368,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase) ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase); if (ret != 0) return ret; - if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN)) + if (copy_to_user(hlp, t->u.target->name, XT_EXTENSION_MAXNAMELEN)) return -EFAULT; return 0; } -- 1.7.4.4 -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html