Skip to content

Commit

Permalink
netfilter: xt_RATEEST: reject non-null terminated string from userspace
Browse files Browse the repository at this point in the history 
commit 6cb5621 upstream.

syzbot reports:
detected buffer overflow in strlen
[..]
Call Trace:
 strlen include/linux/string.h:325 [inline]
 strlcpy include/linux/string.h:348 [inline]
 xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143

strlcpy assumes src is a c-string. Check info->name before its used.

Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com
Fixes: 5859034 ("[NETFILTER]: x_tables: add RATEEST target")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
@gregkh
Florian Westphal authored and gregkh committed Jan 12, 2021
1 parent d17f2cc commit 810bc97
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions net/netfilter/xt_RATEEST.c
View file
Expand Up @@ -115,6 +115,9 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
} cfg;
int ret;

if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name))
return -ENAMETOOLONG;

net_get_random_once(&jhash_rnd, sizeof(jhash_rnd));

mutex_lock(&xn->hash_lock);
Expand Down

0 comments on commit 810bc97

Please sign in to comment.