Commit 961ed183 authored Mar 20, 2011 by Vasiliy Kulikov Committed by Patrick McHardy Mar 20, 2011

netfilter: ipt_CLUSTERIP: fix buffer overflow



'buffer' string is copied from userspace.  It is not checked whether it is
zero terminated.  This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

parent db856674

net/ipv4/netfilter/ipt_CLUSTERIP.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -664,8 +664,11 @@ static ssize_t clusterip_proc_write(struct file file, const char __user input,
		char buffer[PROC_WRITELEN+1];
		unsigned long nodenum;

		if (copy_from_user(buffer, input, PROC_WRITELEN))
		if (size > PROC_WRITELEN)
		return -EIO;
		if (copy_from_user(buffer, input, size))
		return -EFAULT;
		buffer[size] = 0;

		if (*buffer == '+') {
		nodenum = simple_strtoul(buffer+1, NULL, 10);