summaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2020-12-22 23:23:56 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2020-12-27 11:52:26 +0100
commit6cb56218ad9e580e519dcd23bfb3db08d8692e5a (patch)
tree5399252573123cb025b36d7065f38ae8b5d1058a /net/netfilter
parent1f45dc22066797479072978feeada0852502e180 (diff)
downloadlinux-stable-6cb56218ad9e580e519dcd23bfb3db08d8692e5a.tar.gz
linux-stable-6cb56218ad9e580e519dcd23bfb3db08d8692e5a.tar.bz2
linux-stable-6cb56218ad9e580e519dcd23bfb3db08d8692e5a.zip
netfilter: xt_RATEEST: reject non-null terminated string from userspace
syzbot reports: detected buffer overflow in strlen [..] Call Trace: strlen include/linux/string.h:325 [inline] strlcpy include/linux/string.h:348 [inline] xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 strlcpy assumes src is a c-string. Check info->name before its used. Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/xt_RATEEST.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 37253d399c6b..0d5c422f8745 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -115,6 +115,9 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
} cfg;
int ret;
+ if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name))
+ return -ENAMETOOLONG;
+
net_get_random_once(&jhash_rnd, sizeof(jhash_rnd));
mutex_lock(&xn->hash_lock);