| Message ID | 20201222222356.22645-1-fw@strlen.de |
|---|---|
| State | New |
| Headers | show |
| Series | [nf] netfilter: xt_RATEEST: reject non-null terminated string from userspace | expand |
On Tue, Dec 22, 2020 at 11:23:56PM +0100, Florian Westphal wrote: > syzbot reports: > detected buffer overflow in strlen > [..] > Call Trace: > strlen include/linux/string.h:325 [inline] > strlcpy include/linux/string.h:348 [inline] > xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 > > strlcpy assumes src is a c-string. Check info->name before its used. Applied, thanks Florian.
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c index 37253d399c6b..0d5c422f8745 100644 --- a/net/netfilter/xt_RATEEST.c +++ b/net/netfilter/xt_RATEEST.c @@ -115,6 +115,9 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) } cfg; int ret; + if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name)) + return -ENAMETOOLONG; + net_get_random_once(&jhash_rnd, sizeof(jhash_rnd)); mutex_lock(&xn->hash_lock);
syzbot reports: detected buffer overflow in strlen [..] Call Trace: strlen include/linux/string.h:325 [inline] strlcpy include/linux/string.h:348 [inline] xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 strlcpy assumes src is a c-string. Check info->name before its used. Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target") Signed-off-by: Florian Westphal <fw@strlen.de> --- RATEEST test in iptables.git still passes, syzbot repro setsockopt fails with -ENAMETOOLONG.