From patchwork Thu Mar 1 09:16:30 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: santosh nayak X-Patchwork-Id: 143970 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3CEB21007D2 for ; Thu, 1 Mar 2012 20:25:20 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965986Ab2CAJZA (ORCPT ); Thu, 1 Mar 2012 04:25:00 -0500 Received: from mail-pz0-f51.google.com ([209.85.210.51]:60384 "EHLO mail-pz0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964878Ab2CAJY5 (ORCPT ); Thu, 1 Mar 2012 04:24:57 -0500 X-Greylist: delayed 457 seconds by postgrey-1.27 at vger.kernel.org; Thu, 01 Mar 2012 04:24:56 EST Received: by dady9 with SMTP id y9so638327dad.10 for ; Thu, 01 Mar 2012 01:24:55 -0800 (PST) Received-SPF: pass (google.com: domain of santoshprasadnayak@gmail.com designates 10.68.220.168 as permitted sender) client-ip=10.68.220.168; Authentication-Results: mr.google.com; spf=pass (google.com: domain of santoshprasadnayak@gmail.com designates 10.68.220.168 as permitted sender) smtp.mail=santoshprasadnayak@gmail.com; dkim=pass header.i=santoshprasadnayak@gmail.com Received: from mr.google.com ([10.68.220.168]) by 10.68.220.168 with SMTP id px8mr99335pbc.123.1330593895505 (num_hops = 1); Thu, 01 Mar 2012 01:24:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer; bh=fmHhVfjLzSqSANPixWTgIxQXuhUT+3LTYFAQOKVVUCY=; b=i4ySxGb3YnR4+brYcrzrHtuLHnksfjHIni0Gcl+NT1TCyKVa2efrcyD8/6zWuuaOpR 5CtekGaMHmYjrkNRblaUCRrHjZOqBdZm7bU5hrjYUflCOW5MCXMPsKt+HVmnyEgbFQ3S UUcQiYOxJbtDU0dar6D/GSlPlUI/QP+JXmLmQ= Received: by 10.68.220.168 with SMTP id px8mr23283pbc.123.1330593438260; Thu, 01 Mar 2012 01:17:18 -0800 (PST) Received: from localhost.localdomain ([64.103.156.75]) by mx.google.com with ESMTPS id m3sm1595061pbg.44.2012.03.01.01.17.14 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 01 Mar 2012 01:17:17 -0800 (PST) From: santosh nayak To: bart.de.schuymer@pandora.be Cc: pablo@netfilter.org, kaber@trash.net, shemminger@vyatta.com, davem@davemloft.net, netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Santosh Nayak Subject: [PATCH 1/3] netfilter: Fix copy_to_user too small size parametre. Date: Thu, 1 Mar 2012 14:46:30 +0530 Message-Id: <1330593390-19233-1-git-send-email-santoshprasadnayak@gmail.com> X-Mailer: git-send-email 1.7.4.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Santosh Nayak While copying to userspace, the size of source is 29byte where as size parametre is 32 byte. Its leaking extra-information from kernel space to user space. Replace EBT_FUNCTION_MAXNAMELEN by XT_EXTENSION_MAXNAMELEN. Signed-off-by: Santosh Nayak --- net/bridge/netfilter/ebtables.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5864cc4..f3fcbd9 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1335,7 +1335,7 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m, const char *base, char __user *ubase) { char __user *hlp = ubase + ((char *)m - base); - if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) + if (copy_to_user(hlp, m->u.match->name, XT_EXTENSION_MAXNAMELEN)) return -EFAULT; return 0; } @@ -1344,7 +1344,7 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w, const char *base, char __user *ubase) { char __user *hlp = ubase + ((char *)w - base); - if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) + if (copy_to_user(hlp , w->u.watcher->name, XT_EXTENSION_MAXNAMELEN)) return -EFAULT; return 0; } @@ -1368,7 +1368,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase) ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase); if (ret != 0) return ret; - if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN)) + if (copy_to_user(hlp, t->u.target->name, XT_EXTENSION_MAXNAMELEN)) return -EFAULT; return 0; }