[PATCH 5/6] netfilter: arp_tables: fix infoleak to userspace CVE-2011-1170
Paolo Pisati
paolo.pisati at canonical.com
Mon Jul 4 16:08:30 UTC 2011
On 07/04/2011 04:47 PM, Stefan Bader wrote:
>>
>> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
>> index 2909c92..da85e92 100644
>> --- a/net/ipv4/netfilter/arp_tables.c
>> +++ b/net/ipv4/netfilter/arp_tables.c
>> @@ -816,6 +816,7 @@ static int do_replace(void __user *user, unsigned int len)
>> return -ENOMEM;
>> if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
>> return -ENOMEM;
>> + tmp.name[sizeof(tmp.name)-1] = 0;
>>
>> newinfo = xt_alloc_table_info(tmp.size);
>> if (!newinfo)
>
> Comparing the second hunk against upstream there may be a misplacement. In
> upstream code the change was in compat_do_replace().
Actually i did it on purpose because i was sure there was some code
printk-ing tmp.name later, but it's clearly not the case: it doesn't
hurt since i'm just enforcing the array to be correctly terminated, but
doesn't belong to this security fix.
The same rationale applies for
net/ipv6/netfilter/ip6_tables.c::do_add_counters().
Please hold on.
--
bye,
p.
More information about the kernel-team
mailing list