Commit 8f4d19aa authored by Gao Feng's avatar Gao Feng Committed by Pablo Neira Ayuso

netfilter: xt_CT: Reject the non-null terminated string from user space

The helper and timeout strings are from user-space, we need to make
sure they are null terminated. If not, evil user could make kernel
read the unexpected memory, even print it when fail to find by the
following codes.

pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
Signed-off-by: default avatarGao Feng <gfree.wind@vip.163.com>
Acked-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 664088f8
...@@ -245,12 +245,22 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, ...@@ -245,12 +245,22 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
} }
if (info->helper[0]) { if (info->helper[0]) {
if (strnlen(info->helper, sizeof(info->helper)) == sizeof(info->helper)) {
ret = -ENAMETOOLONG;
goto err3;
}
ret = xt_ct_set_helper(ct, info->helper, par); ret = xt_ct_set_helper(ct, info->helper, par);
if (ret < 0) if (ret < 0)
goto err3; goto err3;
} }
if (info->timeout[0]) { if (info->timeout[0]) {
if (strnlen(info->timeout, sizeof(info->timeout)) == sizeof(info->timeout)) {
ret = -ENAMETOOLONG;
goto err4;
}
ret = xt_ct_set_timeout(ct, par, info->timeout); ret = xt_ct_set_timeout(ct, par, info->timeout);
if (ret < 0) if (ret < 0)
goto err4; goto err4;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment