ACK: [hardy CVE 1/1] netfilter: ipt_CLUSTERIP: fix buffer overflow
Stefan Bader
stefan.bader at canonical.com
Thu Jul 7 09:30:42 UTC 2011
On 07.07.2011 11:28, Andy Whitcroft wrote:
> From: Vasiliy Kulikov <segoon at openwall.com>
>
> 'buffer' string is copied from userspace. It is not checked whether it is
> zero terminated. This may lead to overflow inside of simple_strtoul().
> Changli Gao suggested to copy not more than user supplied 'size' bytes.
>
> It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
> root writable only by default, however, on some setups permissions might be
> relaxed to e.g. network admin user.
>
> Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
> Acked-by: Changli Gao <xiaosuo at gmail.com>
> Signed-off-by: Patrick McHardy <kaber at trash.net>
>
> (cherry picked from commit 961ed183a9fd080cf306c659b8736007e44065a5)
> CVE-2011-2534
> BugLink: http://bugs.launchpad.net/bugs/801473
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
> net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> index 2f544da..6420953 100644
> --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
> +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
> @@ -686,8 +686,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
> struct clusterip_config *c = pde->data;
> unsigned long nodenum;
>
> - if (copy_from_user(buffer, input, PROC_WRITELEN))
> + if (size > PROC_WRITELEN)
> + return -EIO;
> + if (copy_from_user(buffer, input, size))
> return -EFAULT;
> + buffer[size] = 0;
>
> if (*buffer == '+') {
> nodenum = simple_strtoul(buffer+1, NULL, 10);
Looks reasonable.
Acked-by: Stefan Bader <stefan.bader at canonical.com>
More information about the kernel-team
mailing list