From patchwork Fri Feb 19 03:41:45 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 45835 X-Patchwork-Delegate: apw@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 01664B7CFB for ; Fri, 19 Feb 2010 14:41:48 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1NiJkE-0003VA-Mr; Fri, 19 Feb 2010 03:41:34 +0000 Received: from mail.tpi.com ([70.99.223.143]) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1NiJkC-0003V5-IZ for kernel-team@lists.ubuntu.com; Fri, 19 Feb 2010 03:41:32 +0000 Received: from [10.0.2.5] (unknown [10.0.2.5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.tpi.com (Postfix) with ESMTP id AC28020F9F0; Thu, 18 Feb 2010 19:41:21 -0800 (PST) Message-ID: <4B7E0879.4090504@canonical.com> Date: Thu, 18 Feb 2010 20:41:45 -0700 From: Tim Gardner User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Andy Whitcroft Subject: [PATCH] xt_recent: Fix buffer overflow X-Enigmail-Version: 0.95.7 Cc: Kernel team list X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: tim.gardner@canonical.com List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com If this looks right, then I'll send it upstream, and it should be a pre-stable patch. rtg From 478a6cbbd7646c78370da48677e99cc602076dd7 Mon Sep 17 00:00:00 2001 From: Tim Gardner Date: Thu, 18 Feb 2010 20:04:51 -0700 Subject: [PATCH] xt_recent: Fix buffer overflow e->index overflows e->stamps[] every ip_pkt_list_tot packets. Consider the case when ip_pkt_list_tot==1; the first packet received is stored in e->stamps[0] and e->index is initialized to 1. The next received packet timestamp is then stored at e->stamps[1] in recent_entry_update(), a buffer overflow because the maximum e->stamps[] index is 0. Signed-off-by: Tim Gardner Cc: stable@kernel.org --- net/netfilter/xt_recent.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c index fc70a49..1bb0d6c 100644 --- a/net/netfilter/xt_recent.c +++ b/net/netfilter/xt_recent.c @@ -173,10 +173,10 @@ recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr, static void recent_entry_update(struct recent_table *t, struct recent_entry *e) { + e->index %= ip_pkt_list_tot; e->stamps[e->index++] = jiffies; if (e->index > e->nstamps) e->nstamps = e->index; - e->index %= ip_pkt_list_tot; list_move_tail(&e->lru_list, &t->lru_list); } -- 1.6.2.4