netfilter: cttimeout: fix buffer overflow
Chen Gang reports: the length of nla_data(cda[CTA_TIMEOUT_NAME]) is not limited in server side. And indeed, its used to strcpy to a fixed-sized buffer. Fortunately, nfnetlink users need CAP_NET_ADMIN. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
4fe198e6b1
commit
e93b5f9f32
|
@ -41,7 +41,8 @@ MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tu
|
|||
static LIST_HEAD(cttimeout_list);
|
||||
|
||||
static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
|
||||
[CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING },
|
||||
[CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING,
|
||||
.len = CTNL_TIMEOUT_NAME_MAX - 1},
|
||||
[CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 },
|
||||
[CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 },
|
||||
[CTA_TIMEOUT_DATA] = { .type = NLA_NESTED },
|
||||
|
|
Loading…
Reference in New Issue