Patchwork [3.8.y.z,extended,stable] Patch "netfilter: ipt_ULOG: fix non-null terminated string in the" has been added to staging queue

mail settings
Submitter Luis Henriques
Date July 9, 2013, 4:29 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/257827/
State New
Headers show


Luis Henriques - July 9, 2013, 4:29 p.m.
This is a note to let you know that I have just added a patch titled

    netfilter: ipt_ULOG: fix non-null terminated string in the

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.8.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



From b2db6f1233497195ce29eb98423b3ed56bdc1434 Mon Sep 17 00:00:00 2001
From: Chen Gang <>
Date: Thu, 23 May 2013 01:50:46 +0000
Subject: [PATCH] netfilter: ipt_ULOG: fix non-null terminated string in the
 nf_log path

commit 4f36ea6eed2081340c7a7aa98c73187ecfccebff upstream.

If nf_log uses ipt_ULOG as logging output, we can deliver non-null
terminated strings to user-space since the maximum length of the
prefix that is passed by nf_log is NF_LOG_PREFIXLEN but pm->prefix
is 32 bytes long (ULOG_PREFIX_LEN).

This is actually happening already from nf_conntrack_tcp if ipt_ULOG
is used, since it is passing strings longer than 32 bytes.

Signed-off-by: Chen Gang <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Luis Henriques <>
 net/ipv4/netfilter/ipt_ULOG.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)



diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index b5ef3cb..db5f368 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -217,8 +217,10 @@  static void ipt_ulog_packet(unsigned int hooknum,
 	put_unaligned(tv.tv_usec, &pm->timestamp_usec);
 	put_unaligned(skb->mark, &pm->mark);
 	pm->hook = hooknum;
-	if (prefix != NULL)
-		strncpy(pm->prefix, prefix, sizeof(pm->prefix));
+	if (prefix != NULL) {
+		strncpy(pm->prefix, prefix, sizeof(pm->prefix) - 1);
+		pm->prefix[sizeof(pm->prefix) - 1] = '\0';
+	}
 	else if (loginfo->prefix[0] != '\0')
 		strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));