Commit 442a395f authored by Mathias Krause's avatar Mathias Krause Committed by Jiri Slaby

netfilter: ipt_ULOG: fix info leaks

commit 278f2b3e upstream.

The ulog messages leak heap bytes by the means of padding bytes and
incompletely filled string arrays. Fix those by memset(0)'ing the
whole struct before filling it.
Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
parent 8c23d6e1
...@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net, ...@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net,
ub->qlen++; ub->qlen++;
pm = nlmsg_data(nlh); pm = nlmsg_data(nlh);
memset(pm, 0, sizeof(*pm));
/* We might not have a timestamp, get one */ /* We might not have a timestamp, get one */
if (skb->tstamp.tv64 == 0) if (skb->tstamp.tv64 == 0)
...@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net, ...@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net,
} }
else if (loginfo->prefix[0] != '\0') else if (loginfo->prefix[0] != '\0')
strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
else
*(pm->prefix) = '\0';
if (in && in->hard_header_len > 0 && if (in && in->hard_header_len > 0 &&
skb->mac_header != skb->network_header && skb->mac_header != skb->network_header &&
...@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net, ...@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net,
if (in) if (in)
strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
else
pm->indev_name[0] = '\0';
if (out) if (out)
strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
else
pm->outdev_name[0] = '\0';
/* copy_len <= skb->len, so can't fail. */ /* copy_len <= skb->len, so can't fail. */
if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment