diff options
author | Dmitry Vyukov | 2018-01-29 13:21:20 +0100 |
---|---|---|
committer | Pablo Neira Ayuso | 2018-01-31 14:59:24 +0100 |
commit | 1e98ffea5a8935ec040ab72299e349cb44b8defd (patch) | |
tree | 512f7e462d332f478c0e3459ca1794abc0c32a9d /net/netfilter/xt_nfacct.c | |
parent | netfilter: ipset: Fix wraparound in hash:*net* types (diff) | |
download | kernel-qcow2-linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.tar.gz kernel-qcow2-linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.tar.xz kernel-qcow2-linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.zip |
netfilter: x_tables: fix pointer leaks to userspace
Several netfilter matches and targets put kernel pointers into
info objects, but don't set usersize in descriptors.
This leads to kernel pointer leaks if a match/target is set
and then read back to userspace.
Properly set usersize for these matches/targets.
Found with manual code inspection.
Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/xt_nfacct.c')
-rw-r--r-- | net/netfilter/xt_nfacct.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c index cc0518fe598e..6f92d25590a8 100644 --- a/net/netfilter/xt_nfacct.c +++ b/net/netfilter/xt_nfacct.c @@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly = { .match = nfacct_mt, .destroy = nfacct_mt_destroy, .matchsize = sizeof(struct xt_nfacct_match_info), + .usersize = offsetof(struct xt_nfacct_match_info, nfacct), .me = THIS_MODULE, }; |