Re: [backport request] netfilter: ipt_ULOG: fix info leaks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Jun 29, 2014 at 10:08:25PM +0200, Jan Tore Morken wrote:
> Hi,
> 
> apparently the below commit didn't find its way to -stable. Please
> backport this quite straightforward fix to a blatant and by now rather
> old information leak issue. Applies cleanly to anything above 3.4. 3.4
> and down requires very minor tweaks.
> 
> Thanks!
> 

Thank you, I'm queuing this patch for the 3.11 kernel.

Cheers,
--
Luís

> ===
> 
> From 278f2b3e2af5f32ea1afe34fa12a2518153e6e49 Mon Sep 17 00:00:00 2001
> From: Mathias Krause <minipli@xxxxxxxxxxxxxx>
> Date: Mon, 30 Sep 2013 22:05:08 +0200
> Subject: [PATCH] netfilter: ipt_ULOG: fix info leaks
> 
> The ulog messages leak heap bytes by the means of padding bytes and
> incompletely filled string arrays. Fix those by memset(0)'ing the
> whole struct before filling it.
> 
> Signed-off-by: Mathias Krause <minipli@xxxxxxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
>  net/ipv4/netfilter/ipt_ULOG.c | 7 +------
>  1 file changed, 1 insertion(+), 6 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
> index cbc2215..9cb993c 100644
> --- a/net/ipv4/netfilter/ipt_ULOG.c
> +++ b/net/ipv4/netfilter/ipt_ULOG.c
> @@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net,
>  	ub->qlen++;
>  
>  	pm = nlmsg_data(nlh);
> +	memset(pm, 0, sizeof(*pm));
>  
>  	/* We might not have a timestamp, get one */
>  	if (skb->tstamp.tv64 == 0)
> @@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net,
>  	}
>  	else if (loginfo->prefix[0] != '\0')
>  		strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
> -	else
> -		*(pm->prefix) = '\0';
>  
>  	if (in && in->hard_header_len > 0 &&
>  	    skb->mac_header != skb->network_header &&
> @@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net,
>  
>  	if (in)
>  		strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
> -	else
> -		pm->indev_name[0] = '\0';
>  
>  	if (out)
>  		strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
> -	else
> -		pm->outdev_name[0] = '\0';
>  
>  	/* copy_len <= skb->len, so can't fail. */
>  	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
> -- 
> 2.0.0
> 


--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]