diff options
author | Dmitry Vyukov <dvyukov@google.com> | 2018-01-29 13:21:20 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-31 14:59:24 +0100 |
commit | 1e98ffea5a8935ec040ab72299e349cb44b8defd (patch) | |
tree | 512f7e462d332f478c0e3459ca1794abc0c32a9d /net/netfilter/xt_statistic.c | |
parent | netfilter: ipset: Fix wraparound in hash:*net* types (diff) | |
download | linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.tar.gz linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.tar.bz2 linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.zip |
netfilter: x_tables: fix pointer leaks to userspace
Several netfilter matches and targets put kernel pointers into
info objects, but don't set usersize in descriptors.
This leads to kernel pointer leaks if a match/target is set
and then read back to userspace.
Properly set usersize for these matches/targets.
Found with manual code inspection.
Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/xt_statistic.c')
-rw-r--r-- | net/netfilter/xt_statistic.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c index 11de55e7a868..8710fdba2ae2 100644 --- a/net/netfilter/xt_statistic.c +++ b/net/netfilter/xt_statistic.c @@ -84,6 +84,7 @@ static struct xt_match xt_statistic_mt_reg __read_mostly = { .checkentry = statistic_mt_check, .destroy = statistic_mt_destroy, .matchsize = sizeof(struct xt_statistic_info), + .usersize = offsetof(struct xt_statistic_info, master), .me = THIS_MODULE, }; |