diff options
author | Dmitry Vyukov <dvyukov@google.com> | 2018-01-29 13:21:20 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-31 14:59:24 +0100 |
commit | 1e98ffea5a8935ec040ab72299e349cb44b8defd (patch) | |
tree | 512f7e462d332f478c0e3459ca1794abc0c32a9d /net/netfilter/xt_LED.c | |
parent | 0b8d9073539e217f79ec1bff65eb205ac796723d (diff) | |
download | linux-1e98ffea5a8935ec040ab72299e349cb44b8defd.tar.gz |
netfilter: x_tables: fix pointer leaks to userspace
Several netfilter matches and targets put kernel pointers into
info objects, but don't set usersize in descriptors.
This leads to kernel pointer leaks if a match/target is set
and then read back to userspace.
Properly set usersize for these matches/targets.
Found with manual code inspection.
Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/xt_LED.c')
-rw-r--r-- | net/netfilter/xt_LED.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c index 0971634e54445..1dcad893df781 100644 --- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c @@ -198,6 +198,7 @@ static struct xt_target led_tg_reg __read_mostly = { .family = NFPROTO_UNSPEC, .target = led_tg, .targetsize = sizeof(struct xt_led_info), + .usersize = offsetof(struct xt_led_info, internal_data), .checkentry = led_tg_check, .destroy = led_tg_destroy, .me = THIS_MODULE, |