Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e93b5f9f authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: cttimeout: fix buffer overflow 



Chen Gang reports:
the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side.

And indeed, its used to strcpy to a fixed-sized buffer.

Fortunately, nfnetlink users need CAP_NET_ADMIN.

Reported-by: default avatarChen Gang <gang.chen@asianux.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 4fe198e6

net/netfilter/nfnetlink_cttimeout.c

+2 −1
Original line number Diff line number Diff line
@@ -41,7 +41,8 @@ MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tu 
static LIST_HEAD(cttimeout_list);



static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {

	[CTA_TIMEOUT_NAME]	= { .type = NLA_NUL_STRING },

	[CTA_TIMEOUT_NAME]	= { .type = NLA_NUL_STRING,

				    .len  = CTNL_TIMEOUT_NAME_MAX - 1},

	[CTA_TIMEOUT_L3PROTO]	= { .type = NLA_U16 },

	[CTA_TIMEOUT_L4PROTO]	= { .type = NLA_U8 },

	[CTA_TIMEOUT_DATA]	= { .type = NLA_NESTED },