This is a note to let you know that I've just added the patch titled
netfilter: ipt_CLUSTERIP: fix buffer overflow
to the 2.6.38-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-ipt_clusterip-fix-buffer-overflow.patch
and it can be found in the queue-2.6.38 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 961ed183a9fd080cf306c659b8736007e44065a5 Mon Sep 17 00:00:00 2001
From: Vasiliy Kulikov <[email protected]>
Date: Sun, 20 Mar 2011 15:42:52 +0100
Subject: netfilter: ipt_CLUSTERIP: fix buffer overflow
From: Vasiliy Kulikov <[email protected]>
commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.
'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Acked-by: Changli Gao <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -669,8 +669,11 @@ static ssize_t clusterip_proc_write(stru
char buffer[PROC_WRITELEN+1];
unsigned long nodenum;
- if (copy_from_user(buffer, input, PROC_WRITELEN))
+ if (size > PROC_WRITELEN)
+ return -EIO;
+ if (copy_from_user(buffer, input, size))
return -EFAULT;
+ buffer[size] = 0;
if (*buffer == '+') {
nodenum = simple_strtoul(buffer+1, NULL, 10);
Patches currently in stable-queue which might be from [email protected] are
queue-2.6.38/econet-4-byte-infoleak-to-the-network.patch
queue-2.6.38/scsi_transport_iscsi-make-priv_sess-file-writeable-only-by-root.patch
queue-2.6.38/drivers-leds-leds-lp5521.c-world-writable-sysfs-engine-files.patch
queue-2.6.38/drivers-rtc-rtc-ds1511.c-world-writable-sysfs-nvram-file.patch
queue-2.6.38/mfd-ab3500-world-writable-debugfs-register-files.patch
queue-2.6.38/drivers-misc-ep93xx_pwm.c-world-writable-sysfs-files.patch
queue-2.6.38/bluetooth-bnep-fix-buffer-overflow.patch
queue-2.6.38/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
queue-2.6.38/mfd-ab3100-world-writable-debugfs-_priv-files.patch
queue-2.6.38/bridge-netfilter-fix-information-leak.patch
queue-2.6.38/mfd-ab8500-world-writable-debugfs-register-files.patch
queue-2.6.38/netfilter-ip_tables-fix-infoleak-to-userspace.patch
queue-2.6.38/netfilter-ipt_clusterip-fix-buffer-overflow.patch
queue-2.6.38/drivers-leds-leds-lp5523.c-world-writable-engine-sysfs-files.patch
queue-2.6.38/netfilter-arp_tables-fix-infoleak-to-userspace.patch
queue-2.6.38/bluetooth-sco-fix-information-leak-to-userspace.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
