mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
netfilter: xt_CT: Reject the non-null terminated string from user space
The helper and timeout strings are from user-space, we need to make sure they are null terminated. If not, evil user could make kernel read the unexpected memory, even print it when fail to find by the following codes. pr_info_ratelimited("No such helper \"%s\"\n", helper_name); Signed-off-by: Gao Feng <gfree.wind@vip.163.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
664088f8d6
commit
8f4d19aacb
1 changed files with 10 additions and 0 deletions
|
@ -245,12 +245,22 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
|
|||
}
|
||||
|
||||
if (info->helper[0]) {
|
||||
if (strnlen(info->helper, sizeof(info->helper)) == sizeof(info->helper)) {
|
||||
ret = -ENAMETOOLONG;
|
||||
goto err3;
|
||||
}
|
||||
|
||||
ret = xt_ct_set_helper(ct, info->helper, par);
|
||||
if (ret < 0)
|
||||
goto err3;
|
||||
}
|
||||
|
||||
if (info->timeout[0]) {
|
||||
if (strnlen(info->timeout, sizeof(info->timeout)) == sizeof(info->timeout)) {
|
||||
ret = -ENAMETOOLONG;
|
||||
goto err4;
|
||||
}
|
||||
|
||||
ret = xt_ct_set_timeout(ct, par, info->timeout);
|
||||
if (ret < 0)
|
||||
goto err4;
|
||||
|
|
Loading…
Add table
Reference in a new issue