From: Gao Feng <gfree.wind@xxxxxxxxxxx>
The helper and timeout strings are from user-space, we need to make
sure they are null terminated. If not, evil user could make kernel
read the unexpected memory, even print it when fail to find by the
following codes.
pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
Signed-off-by: Gao Feng <gfree.wind@xxxxxxxxxxx>
---
net/netfilter/xt_CT.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 8790190..f4b7d31 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -245,12 +245,14 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
}
if (info->helper[0]) {
+ info->helper[sizeof(info->helper) - 1] = '\0';
ret = xt_ct_set_helper(ct, info->helper, par);
if (ret < 0)
goto err3;
}
if (info->timeout[0]) {
+ info->timeout[sizeof(info->timeout) - 1] = '\0';
ret = xt_ct_set_timeout(ct, par, info->timeout);
if (ret < 0)
goto err4;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
