Hi,
On Tue, 29 May 2018, Pablo Neira Ayuso wrote:
> On Tue, May 29, 2018 at 11:58:29AM +0800, gfree.wind@xxxxxxxxxxx wrote:
> > From: Gao Feng <gfree.wind@xxxxxxxxxxx>
> >
> > The helper and timeout strings are from user-space, we need to make
> > sure they are null terminated. If not, evil user could make kernel
> > read the unexpected memory, even print it when fail to find by the
> > following codes.
> >
> > pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
> >
> > Signed-off-by: Gao Feng <gfree.wind@xxxxxxxxxxx>
> > ---
> > net/netfilter/xt_CT.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
> > index 8790190..f4b7d31 100644
> > --- a/net/netfilter/xt_CT.c
> > +++ b/net/netfilter/xt_CT.c
> > @@ -245,12 +245,14 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
> > }
> >
> > if (info->helper[0]) {
> > + info->helper[sizeof(info->helper) - 1] = '\0';
>
> Probably better to reject non-nul terminated strings from userspace?
Attackers can easily build custom tools by which they then send arbitrary
parameters to the kernel. So I think it's better to sanitize the input at
kernel side - and do the same in our userspace tools as well :-)
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
