* Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
@ 2012-03-01 17:21 ` santosh nayak
0 siblings, 0 replies; 12+ messages in thread
From: santosh nayak @ 2012-03-01 17:09 UTC (permalink / raw)
To: bart.de.schuymer
Cc: pablo, kaber, shemminger, davem, netdev, netfilter-devel,
linux-kernel, kernel-janitors, Santosh Nayak
From: Santosh Nayak <santoshprasadnayak@gmail.com>
user-space ebtables expects 32 bytes-long names, but xt_match uses
29 bytes. Fill the remaining bytes with zeroes.
Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
---
net/bridge/netfilter/ebtables.c | 14 +++++++++++---
1 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5864cc4..21f337a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1335,7 +1335,10 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
const char *base, char __user *ubase)
{
char __user *hlp = ubase + ((char *)m - base);
- if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
+ char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+ strncpy(name, m->u.match->name, sizeof(name));
+ if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
return -EFAULT;
return 0;
}
@@ -1344,7 +1347,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
const char *base, char __user *ubase)
{
char __user *hlp = ubase + ((char *)w - base);
- if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
+ char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+ strncpy(name, w->u.watcher->name, sizeof(name));
+ if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
return -EFAULT;
return 0;
}
@@ -1355,10 +1361,12 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
int ret;
char __user *hlp;
const struct ebt_entry_target *t;
+ char name[EBT_FUNCTION_MAXNAMELEN] = {};
if (e->bitmask == 0)
return 0;
+ strncpy(name, t->u.target->name, sizeof(name));
hlp = ubase + (((char *)e + e->target_offset) - base);
t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
@@ -1368,7 +1376,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
if (ret != 0)
return ret;
- if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
+ if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
return -EFAULT;
return 0;
}
--
1.7.4.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
@ 2012-03-01 17:21 ` santosh nayak
0 siblings, 0 replies; 12+ messages in thread
From: santosh nayak @ 2012-03-01 17:21 UTC (permalink / raw)
To: bart.de.schuymer
Cc: pablo, kaber, shemminger, davem, netdev, netfilter-devel,
linux-kernel, kernel-janitors, Santosh Nayak
From: Santosh Nayak <santoshprasadnayak@gmail.com>
user-space ebtables expects 32 bytes-long names, but xt_match uses
29 bytes. Fill the remaining bytes with zeroes.
Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
---
net/bridge/netfilter/ebtables.c | 14 +++++++++++---
1 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5864cc4..21f337a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1335,7 +1335,10 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
const char *base, char __user *ubase)
{
char __user *hlp = ubase + ((char *)m - base);
- if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
+ char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+ strncpy(name, m->u.match->name, sizeof(name));
+ if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
return -EFAULT;
return 0;
}
@@ -1344,7 +1347,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
const char *base, char __user *ubase)
{
char __user *hlp = ubase + ((char *)w - base);
- if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
+ char name[EBT_FUNCTION_MAXNAMELEN] = {};
+
+ strncpy(name, w->u.watcher->name, sizeof(name));
+ if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
return -EFAULT;
return 0;
}
@@ -1355,10 +1361,12 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
int ret;
char __user *hlp;
const struct ebt_entry_target *t;
+ char name[EBT_FUNCTION_MAXNAMELEN] = {};
if (e->bitmask = 0)
return 0;
+ strncpy(name, t->u.target->name, sizeof(name));
hlp = ubase + (((char *)e + e->target_offset) - base);
t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
@@ -1368,7 +1376,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
if (ret != 0)
return ret;
- if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN))
+ if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
return -EFAULT;
return 0;
}
--
1.7.4.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* RE: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
2012-03-01 17:21 ` santosh nayak
@ 2012-03-02 9:05 ` David Laight
-1 siblings, 0 replies; 12+ messages in thread
From: David Laight @ 2012-03-02 9:05 UTC (permalink / raw)
To: santosh nayak, bart.de.schuymer
Cc: pablo, kaber, shemminger, davem, netdev, netfilter-devel,
linux-kernel, kernel-janitors
> - if (copy_to_user(hlp, m->u.match->name,
> EBT_FUNCTION_MAXNAMELEN))
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> +
> + strncpy(name, m->u.match->name, sizeof(name));
> + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
> return -EFAULT;
strncpy() is very rarely the function you are looking for.
In this case it MIGHT be right (since you do a fixed size
copy_to_user).
OTOH there is no need to also initialise name[].
And it isn't entirely clear whether the application
is allowed to be given a non-terminated string.
David
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
@ 2012-03-02 9:05 ` David Laight
0 siblings, 0 replies; 12+ messages in thread
From: David Laight @ 2012-03-02 9:05 UTC (permalink / raw)
To: santosh nayak, bart.de.schuymer
Cc: pablo, kaber, shemminger, davem, netdev, netfilter-devel,
linux-kernel, kernel-janitors
> - if (copy_to_user(hlp, m->u.match->name,
> EBT_FUNCTION_MAXNAMELEN))
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> +
> + strncpy(name, m->u.match->name, sizeof(name));
> + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
> return -EFAULT;
strncpy() is very rarely the function you are looking for.
In this case it MIGHT be right (since you do a fixed size
copy_to_user).
OTOH there is no need to also initialise name[].
And it isn't entirely clear whether the application
is allowed to be given a non-terminated string.
David
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
2012-03-02 9:05 ` David Laight
@ 2012-03-02 10:01 ` Pablo Neira Ayuso
-1 siblings, 0 replies; 12+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-02 10:01 UTC (permalink / raw)
To: David Laight
Cc: santosh nayak, bart.de.schuymer, kaber, shemminger, davem,
netdev, netfilter-devel, linux-kernel, kernel-janitors
On Fri, Mar 02, 2012 at 09:05:10AM -0000, David Laight wrote:
>
> > - if (copy_to_user(hlp, m->u.match->name,
> > EBT_FUNCTION_MAXNAMELEN))
> > + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> > +
> > + strncpy(name, m->u.match->name, sizeof(name));
> > + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
> > return -EFAULT;
>
> strncpy() is very rarely the function you are looking for.
> In this case it MIGHT be right (since you do a fixed size
> copy_to_user).
> OTOH there is no need to also initialise name[].
We have to make sure that array is filled with zeros for the gap
between byte 29 and byte 32 due to backward compatibility issues.
I'll mangle the patch to add some comment close to strncpy and to
explain the way we're doing this.
> And it isn't entirely clear whether the application
> is allowed to be given a non-terminated string.
Match names are 29 bytes long, while ebtables expects 32 bytes. So
we're copying less bytes.
We can add the final \0 if you feel more confortable, but that string
is going to be null-terminated the way the code look now.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
@ 2012-03-02 10:01 ` Pablo Neira Ayuso
0 siblings, 0 replies; 12+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-02 10:01 UTC (permalink / raw)
To: David Laight
Cc: santosh nayak, bart.de.schuymer, kaber, shemminger, davem,
netdev, netfilter-devel, linux-kernel, kernel-janitors
On Fri, Mar 02, 2012 at 09:05:10AM -0000, David Laight wrote:
>
> > - if (copy_to_user(hlp, m->u.match->name,
> > EBT_FUNCTION_MAXNAMELEN))
> > + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> > +
> > + strncpy(name, m->u.match->name, sizeof(name));
> > + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
> > return -EFAULT;
>
> strncpy() is very rarely the function you are looking for.
> In this case it MIGHT be right (since you do a fixed size
> copy_to_user).
> OTOH there is no need to also initialise name[].
We have to make sure that array is filled with zeros for the gap
between byte 29 and byte 32 due to backward compatibility issues.
I'll mangle the patch to add some comment close to strncpy and to
explain the way we're doing this.
> And it isn't entirely clear whether the application
> is allowed to be given a non-terminated string.
Match names are 29 bytes long, while ebtables expects 32 bytes. So
we're copying less bytes.
We can add the final \0 if you feel more confortable, but that string
is going to be null-terminated the way the code look now.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
2012-03-01 17:21 ` santosh nayak
@ 2012-03-04 12:18 ` Pablo Neira Ayuso
-1 siblings, 0 replies; 12+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-04 12:18 UTC (permalink / raw)
To: santosh nayak
Cc: bart.de.schuymer, kaber, shemminger, davem, netdev,
netfilter-devel, linux-kernel, kernel-janitors
On Thu, Mar 01, 2012 at 10:39:03PM +0530, santosh nayak wrote:
> From: Santosh Nayak <santoshprasadnayak@gmail.com>
>
> user-space ebtables expects 32 bytes-long names, but xt_match uses
> 29 bytes. Fill the remaining bytes with zeroes.
>
> Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
> ---
> net/bridge/netfilter/ebtables.c | 14 +++++++++++---
> 1 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 5864cc4..21f337a 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -1335,7 +1335,10 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
> const char *base, char __user *ubase)
> {
> char __user *hlp = ubase + ((char *)m - base);
> - if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> +
> + strncpy(name, m->u.match->name, sizeof(name));
> + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
> return -EFAULT;
> return 0;
> }
> @@ -1344,7 +1347,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
> const char *base, char __user *ubase)
> {
> char __user *hlp = ubase + ((char *)w - base);
> - if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> +
> + strncpy(name, w->u.watcher->name, sizeof(name));
> + if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
> return -EFAULT;
> return 0;
> }
> @@ -1355,10 +1361,12 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
> int ret;
> char __user *hlp;
> const struct ebt_entry_target *t;
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>
> if (e->bitmask == 0)
> return 0;
>
> + strncpy(name, t->u.target->name, sizeof(name));
> hlp = ubase + (((char *)e + e->target_offset) - base);
> t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
This is broken, t dereference is incorrect. Unfortunately I've applied
your patch. I'll apply a patch to fix this upon it.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
@ 2012-03-04 12:18 ` Pablo Neira Ayuso
0 siblings, 0 replies; 12+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-04 12:18 UTC (permalink / raw)
To: santosh nayak
Cc: bart.de.schuymer, kaber, shemminger, davem, netdev,
netfilter-devel, linux-kernel, kernel-janitors
On Thu, Mar 01, 2012 at 10:39:03PM +0530, santosh nayak wrote:
> From: Santosh Nayak <santoshprasadnayak@gmail.com>
>
> user-space ebtables expects 32 bytes-long names, but xt_match uses
> 29 bytes. Fill the remaining bytes with zeroes.
>
> Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
> ---
> net/bridge/netfilter/ebtables.c | 14 +++++++++++---
> 1 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 5864cc4..21f337a 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -1335,7 +1335,10 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
> const char *base, char __user *ubase)
> {
> char __user *hlp = ubase + ((char *)m - base);
> - if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> +
> + strncpy(name, m->u.match->name, sizeof(name));
> + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
> return -EFAULT;
> return 0;
> }
> @@ -1344,7 +1347,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
> const char *base, char __user *ubase)
> {
> char __user *hlp = ubase + ((char *)w - base);
> - if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
> +
> + strncpy(name, w->u.watcher->name, sizeof(name));
> + if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
> return -EFAULT;
> return 0;
> }
> @@ -1355,10 +1361,12 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
> int ret;
> char __user *hlp;
> const struct ebt_entry_target *t;
> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>
> if (e->bitmask = 0)
> return 0;
>
> + strncpy(name, t->u.target->name, sizeof(name));
> hlp = ubase + (((char *)e + e->target_offset) - base);
> t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
This is broken, t dereference is incorrect. Unfortunately I've applied
your patch. I'll apply a patch to fix this upon it.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
2012-03-04 12:18 ` Pablo Neira Ayuso
@ 2012-03-04 12:51 ` santosh prasad nayak
-1 siblings, 0 replies; 12+ messages in thread
From: santosh prasad nayak @ 2012-03-04 12:39 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: bart.de.schuymer, kaber, shemminger, davem, netdev,
netfilter-devel, linux-kernel, kernel-janitors
where is it broken ?
Can you please explain ?
Regards
Santosh
On Sun, Mar 4, 2012 at 5:48 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Mar 01, 2012 at 10:39:03PM +0530, santosh nayak wrote:
>> From: Santosh Nayak <santoshprasadnayak@gmail.com>
>>
>> user-space ebtables expects 32 bytes-long names, but xt_match uses
>> 29 bytes. Fill the remaining bytes with zeroes.
>>
>> Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
>> ---
>> net/bridge/netfilter/ebtables.c | 14 +++++++++++---
>> 1 files changed, 11 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
>> index 5864cc4..21f337a 100644
>> --- a/net/bridge/netfilter/ebtables.c
>> +++ b/net/bridge/netfilter/ebtables.c
>> @@ -1335,7 +1335,10 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
>> const char *base, char __user *ubase)
>> {
>> char __user *hlp = ubase + ((char *)m - base);
>> - if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
>> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>> +
>> + strncpy(name, m->u.match->name, sizeof(name));
>> + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
>> return -EFAULT;
>> return 0;
>> }
>> @@ -1344,7 +1347,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
>> const char *base, char __user *ubase)
>> {
>> char __user *hlp = ubase + ((char *)w - base);
>> - if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
>> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>> +
>> + strncpy(name, w->u.watcher->name, sizeof(name));
>> + if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
>> return -EFAULT;
>> return 0;
>> }
>> @@ -1355,10 +1361,12 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
>> int ret;
>> char __user *hlp;
>> const struct ebt_entry_target *t;
>> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>>
>> if (e->bitmask == 0)
>> return 0;
>>
>> + strncpy(name, t->u.target->name, sizeof(name));
>> hlp = ubase + (((char *)e + e->target_offset) - base);
>> t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
>
> This is broken, t dereference is incorrect. Unfortunately I've applied
> your patch. I'll apply a patch to fix this upon it.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
@ 2012-03-04 12:51 ` santosh prasad nayak
0 siblings, 0 replies; 12+ messages in thread
From: santosh prasad nayak @ 2012-03-04 12:51 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: bart.de.schuymer, kaber, shemminger, davem, netdev,
netfilter-devel, linux-kernel, kernel-janitors
where is it broken ?
Can you please explain ?
Regards
Santosh
On Sun, Mar 4, 2012 at 5:48 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Mar 01, 2012 at 10:39:03PM +0530, santosh nayak wrote:
>> From: Santosh Nayak <santoshprasadnayak@gmail.com>
>>
>> user-space ebtables expects 32 bytes-long names, but xt_match uses
>> 29 bytes. Fill the remaining bytes with zeroes.
>>
>> Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
>> ---
>> net/bridge/netfilter/ebtables.c | 14 +++++++++++---
>> 1 files changed, 11 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
>> index 5864cc4..21f337a 100644
>> --- a/net/bridge/netfilter/ebtables.c
>> +++ b/net/bridge/netfilter/ebtables.c
>> @@ -1335,7 +1335,10 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
>> const char *base, char __user *ubase)
>> {
>> char __user *hlp = ubase + ((char *)m - base);
>> - if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN))
>> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>> +
>> + strncpy(name, m->u.match->name, sizeof(name));
>> + if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
>> return -EFAULT;
>> return 0;
>> }
>> @@ -1344,7 +1347,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
>> const char *base, char __user *ubase)
>> {
>> char __user *hlp = ubase + ((char *)w - base);
>> - if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN))
>> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>> +
>> + strncpy(name, w->u.watcher->name, sizeof(name));
>> + if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
>> return -EFAULT;
>> return 0;
>> }
>> @@ -1355,10 +1361,12 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
>> int ret;
>> char __user *hlp;
>> const struct ebt_entry_target *t;
>> + char name[EBT_FUNCTION_MAXNAMELEN] = {};
>>
>> if (e->bitmask = 0)
>> return 0;
>>
>> + strncpy(name, t->u.target->name, sizeof(name));
>> hlp = ubase + (((char *)e + e->target_offset) - base);
>> t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
>
> This is broken, t dereference is incorrect. Unfortunately I've applied
> your patch. I'll apply a patch to fix this upon it.
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
2012-03-04 12:51 ` santosh prasad nayak
@ 2012-03-04 17:03 ` Pablo Neira Ayuso
-1 siblings, 0 replies; 12+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-04 17:03 UTC (permalink / raw)
To: santosh prasad nayak
Cc: bart.de.schuymer, kaber, shemminger, davem, netdev,
netfilter-devel, linux-kernel, kernel-janitors
On Sun, Mar 04, 2012 at 06:09:08PM +0530, santosh prasad nayak wrote:
> where is it broken ?
> Can you please explain ?
> >> + strncpy(name, t->u.target->name, sizeof(name));
> >> hlp = ubase + (((char *)e + e->target_offset) - base);
> >> t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
In ebt_make_names, you dereference t but it is not initialized.
Note that strncpy refers to t->u.target->name which is initialized a
couple of lines after it.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Resend [PATCH] netfilter: Fix copy_to_user too small size parametre.
@ 2012-03-04 17:03 ` Pablo Neira Ayuso
0 siblings, 0 replies; 12+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-04 17:03 UTC (permalink / raw)
To: santosh prasad nayak
Cc: bart.de.schuymer, kaber, shemminger, davem, netdev,
netfilter-devel, linux-kernel, kernel-janitors
On Sun, Mar 04, 2012 at 06:09:08PM +0530, santosh prasad nayak wrote:
> where is it broken ?
> Can you please explain ?
> >> + strncpy(name, t->u.target->name, sizeof(name));
> >> hlp = ubase + (((char *)e + e->target_offset) - base);
> >> t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
In ebt_make_names, you dereference t but it is not initialized.
Note that strncpy refers to t->u.target->name which is initialized a
couple of lines after it.
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2012-03-04 17:04 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-03-01 17:09 Resend [PATCH] netfilter: Fix copy_to_user too small size parametre santosh nayak
2012-03-01 17:21 ` santosh nayak
2012-03-02 9:05 ` David Laight
2012-03-02 9:05 ` David Laight
2012-03-02 10:01 ` Pablo Neira Ayuso
2012-03-02 10:01 ` Pablo Neira Ayuso
2012-03-04 12:18 ` Pablo Neira Ayuso
2012-03-04 12:18 ` Pablo Neira Ayuso
2012-03-04 12:39 ` santosh prasad nayak
2012-03-04 12:51 ` santosh prasad nayak
2012-03-04 17:03 ` Pablo Neira Ayuso
2012-03-04 17:03 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.