Commit 278f2b3e authored by Mathias Krause's avatar Mathias Krause Committed by Pablo Neira Ayuso

netfilter: ipt_ULOG: fix info leaks

The ulog messages leak heap bytes by the means of padding bytes and
incompletely filled string arrays. Fix those by memset(0)'ing the
whole struct before filling it.
Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent ca0a1067
...@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net, ...@@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net,
ub->qlen++; ub->qlen++;
pm = nlmsg_data(nlh); pm = nlmsg_data(nlh);
memset(pm, 0, sizeof(*pm));
/* We might not have a timestamp, get one */ /* We might not have a timestamp, get one */
if (skb->tstamp.tv64 == 0) if (skb->tstamp.tv64 == 0)
...@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net, ...@@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net,
} }
else if (loginfo->prefix[0] != '\0') else if (loginfo->prefix[0] != '\0')
strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix)); strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
else
*(pm->prefix) = '\0';
if (in && in->hard_header_len > 0 && if (in && in->hard_header_len > 0 &&
skb->mac_header != skb->network_header && skb->mac_header != skb->network_header &&
...@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net, ...@@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net,
if (in) if (in)
strncpy(pm->indev_name, in->name, sizeof(pm->indev_name)); strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
else
pm->indev_name[0] = '\0';
if (out) if (out)
strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
else
pm->outdev_name[0] = '\0';
/* copy_len <= skb->len, so can't fail. */ /* copy_len <= skb->len, so can't fail. */
if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0) if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment