netfilter: ipt_ULOG: fix info leaks
The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Родитель
ca0a10672d
Коммит
278f2b3e2a
|
@ -220,6 +220,7 @@ static void ipt_ulog_packet(struct net *net,
|
|||
ub->qlen++;
|
||||
|
||||
pm = nlmsg_data(nlh);
|
||||
memset(pm, 0, sizeof(*pm));
|
||||
|
||||
/* We might not have a timestamp, get one */
|
||||
if (skb->tstamp.tv64 == 0)
|
||||
|
@ -238,8 +239,6 @@ static void ipt_ulog_packet(struct net *net,
|
|||
}
|
||||
else if (loginfo->prefix[0] != '\0')
|
||||
strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
|
||||
else
|
||||
*(pm->prefix) = '\0';
|
||||
|
||||
if (in && in->hard_header_len > 0 &&
|
||||
skb->mac_header != skb->network_header &&
|
||||
|
@ -251,13 +250,9 @@ static void ipt_ulog_packet(struct net *net,
|
|||
|
||||
if (in)
|
||||
strncpy(pm->indev_name, in->name, sizeof(pm->indev_name));
|
||||
else
|
||||
pm->indev_name[0] = '\0';
|
||||
|
||||
if (out)
|
||||
strncpy(pm->outdev_name, out->name, sizeof(pm->outdev_name));
|
||||
else
|
||||
pm->outdev_name[0] = '\0';
|
||||
|
||||
/* copy_len <= skb->len, so can't fail. */
|
||||
if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
|
||||
|
|
Загрузка…
Ссылка в новой задаче