On Thu, Mar 01, 2012 at 02:37:36PM +0300, Dan Carpenter wrote: > On Thu, Mar 01, 2012 at 11:18:09AM +0100, Pablo Neira Ayuso wrote: > > On Thu, Mar 01, 2012 at 02:46:30PM +0530, santosh nayak wrote: > > > From: Santosh Nayak <santoshprasadnayak@xxxxxxxxx> > > > > > > While copying to userspace, the size of source is 29byte where as > > > size parametre is 32 byte. Its leaking extra-information from > > > kernel space to user space. > > > Replace EBT_FUNCTION_MAXNAMELEN by XT_EXTENSION_MAXNAMELEN. > > > > There's no information leak. > > > > Where do we clear "m"? > > include/linux/netfilter/x_tables.h > 287 struct xt_match { > 288 struct list_head list; > 289 > 290 const char name[XT_EXTENSION_MAXNAMELEN]; > 291 u_int8_t revision; > 292 > > There is a 2 byte holes here between "revision" and "match()". We > copy three bytes past the end of name, so we include revision and > the hole. > > But maybe we memset it somewhere? I'm not sure. xt_match instances are declared as static for each module so it's allocated in the BSS (already zeroed), is that what you mean? > 293 /* Return true or false: return FALSE and set *hotdrop = 1 to > 294 force immediate packet drop. */ > 295 /* Arguments changed since 2.6.9, as this must now handle > 296 non-linear skb, using skb_header_pointer and > 297 skb_ip_make_writable. */ > 298 bool (*match)(const struct sk_buff *skb, > 299 struct xt_action_param *); > > regards, > dan carpenter > -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html