From patchwork Thu Mar  1 17:09:03 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: santosh nayak <santoshprasadnayak@gmail.com>
X-Patchwork-Id: 144078
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 0C8DCB6F9D
	for <patchwork-incoming@ozlabs.org>;
	Fri,  2 Mar 2012 04:10:18 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758798Ab2CARJ7 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 1 Mar 2012 12:09:59 -0500
Received: from mail-pz0-f46.google.com ([209.85.210.46]:54506 "EHLO
	mail-pz0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758524Ab2CARJ5 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 1 Mar 2012 12:09:57 -0500
Received: by dajr28 with SMTP id r28so953819daj.19
	for <multiple recipients>; Thu, 01 Mar 2012 09:09:56 -0800 (PST)
Received-SPF: pass (google.com: domain of santoshprasadnayak@gmail.com
	designates 10.68.229.67 as permitted sender)
	client-ip=10.68.229.67;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of
	santoshprasadnayak@gmail.com designates 10.68.229.67 as
	permitted sender) smtp.mail=santoshprasadnayak@gmail.com;
	dkim=pass header.i=santoshprasadnayak@gmail.com
Received: from mr.google.com ([10.68.229.67])
	by 10.68.229.67 with SMTP id so3mr4838775pbc.163.1330621796876
	(num_hops = 1); Thu, 01 Mar 2012 09:09:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=from:to:cc:subject:date:message-id:x-mailer;
	bh=oP9XYbMs4nmkwkBbYQNv5SBib6iC4qNkpUQ3MjD6ukg=;
	b=elDUaooBBivl4z7KQ7YO+m5ws7ZaPr8vyJBpB4tBGFxvgmBms7XtRTz3cTien7OuhN
	xmSJ3tFVcIp7EPPQPBmd6gcYAgFM2TwrXQAOlmltMuSTwJzIeiIBLVlWIP453RnYBHkJ
	OCvF+uBOtEzaNuAfhYZrsaLkctIcQYVo+tR3k=
Received: by 10.68.229.67 with SMTP id so3mr4047158pbc.163.1330621796487;
	Thu, 01 Mar 2012 09:09:56 -0800 (PST)
Received: from localhost.localdomain ([14.97.49.137])
	by mx.google.com with ESMTPS id u8sm2522080pbr.53.2012.03.01.09.09.51
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 01 Mar 2012 09:09:55 -0800 (PST)
From: santosh nayak <santoshprasadnayak@gmail.com>
To: bart.de.schuymer@pandora.be
Cc: pablo@netfilter.org, kaber@trash.net, shemminger@vyatta.com,
	davem@davemloft.net, netdev@vger.kernel.org,
	netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org,
	Santosh Nayak <santoshprasadnayak@gmail.com>
Subject: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
Date: Thu,  1 Mar 2012 22:39:03 +0530
Message-Id: <1330621743-12883-1-git-send-email-santoshprasadnayak@gmail.com>
X-Mailer: git-send-email 1.7.4.4
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Santosh Nayak <santoshprasadnayak@gmail.com>

user-space ebtables expects 32 bytes-long names, but xt_match uses
29 bytes. Fill the remaining bytes with zeroes.

Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
---
 net/bridge/netfilter/ebtables.c |   14 +++++++++++---
 1 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5864cc4..21f337a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1335,7 +1335,10 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
     const char *base, char __user *ubase)
 {
 	char __user *hlp = ubase + ((char *)m - base);
-	if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
+	char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+	strncpy(name, m->u.match->name, sizeof(name));
+	if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
 		return -EFAULT;
 	return 0;
 }
@@ -1344,7 +1347,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
     const char *base, char __user *ubase)
 {
 	char __user *hlp = ubase + ((char *)w - base);
-	if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
+	char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+	strncpy(name, w->u.watcher->name, sizeof(name));
+	if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
 		return -EFAULT;
 	return 0;
 }
@@ -1355,10 +1361,12 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
 	int ret;
 	char __user *hlp;
 	const struct ebt_entry_target *t;
+	char name[EBT_FUNCTION_MAXNAMELEN] = {};
 
 	if (e->bitmask == 0)
 		return 0;
 
+	strncpy(name, t->u.target->name, sizeof(name));
 	hlp = ubase + (((char *)e + e->target_offset) - base);
 	t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
 
@@ -1368,7 +1376,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
 	ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
 	if (ret != 0)
 		return ret;
-	if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
+	if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
 		return -EFAULT;
 	return 0;
 }