On Thu, Mar 01, 2012 at 02:37:36PM +0300, Dan Carpenter wrote:
> On Thu, Mar 01, 2012 at 11:18:09AM +0100, Pablo Neira Ayuso wrote:
> > On Thu, Mar 01, 2012 at 02:46:30PM +0530, santosh nayak wrote:
> > > From: Santosh Nayak <santoshprasadnayak@xxxxxxxxx>
> > >
> > > While copying to userspace, the size of source is 29byte where as
> > > size parametre is 32 byte. Its leaking extra-information from
> > > kernel space to user space.
> > > Replace EBT_FUNCTION_MAXNAMELEN by XT_EXTENSION_MAXNAMELEN.
> >
> > There's no information leak.
> >
>
> Where do we clear "m"?
>
> include/linux/netfilter/x_tables.h
> 287 struct xt_match {
> 288 struct list_head list;
> 289
> 290 const char name[XT_EXTENSION_MAXNAMELEN];
> 291 u_int8_t revision;
> 292
>
> There is a 2 byte holes here between "revision" and "match()". We
> copy three bytes past the end of name, so we include revision and
> the hole.
>
> But maybe we memset it somewhere? I'm not sure.
xt_match instances are declared as static for each module so it's
allocated in the BSS (already zeroed), is that what you mean?
> 293 /* Return true or false: return FALSE and set *hotdrop = 1 to
> 294 force immediate packet drop. */
> 295 /* Arguments changed since 2.6.9, as this must now handle
> 296 non-linear skb, using skb_header_pointer and
> 297 skb_ip_make_writable. */
> 298 bool (*match)(const struct sk_buff *skb,
> 299 struct xt_action_param *);
>
> regards,
> dan carpenter
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
