From patchwork Thu Jul 7 09:28:05 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [hardy,CVE,1/1] netfilter: ipt_CLUSTERIP: fix buffer overflow Date: Wed, 06 Jul 2011 23:28:05 -0000 From: Andy Whitcroft X-Patchwork-Id: 103625 Message-Id: <1310030885-17977-2-git-send-email-apw@canonical.com> To: kernel-team@lists.ubuntu.com From: Vasiliy Kulikov 'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. Signed-off-by: Vasiliy Kulikov Acked-by: Changli Gao Signed-off-by: Patrick McHardy (cherry picked from commit 961ed183a9fd080cf306c659b8736007e44065a5) CVE-2011-2534 BugLink: http://bugs.launchpad.net/bugs/801473 Signed-off-by: Andy Whitcroft Acked-by: Stefan Bader --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 2f544da..6420953 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -686,8 +686,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input, struct clusterip_config *c = pde->data; unsigned long nodenum; - if (copy_from_user(buffer, input, PROC_WRITELEN)) + if (size > PROC_WRITELEN) + return -EIO; + if (copy_from_user(buffer, input, size)) return -EFAULT; + buffer[size] = 0; if (*buffer == '+') { nodenum = simple_strtoul(buffer+1, NULL, 10);