[SECURITY] secmark: nul-terminate secdata
authorJames Morris <jmorris@namei.org>
Mon, 31 Jul 2006 03:46:38 +0000 (20:46 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Wed, 2 Aug 2006 20:38:23 +0000 (13:38 -0700)
The patch below fixes a problem in the iptables SECMARK target, where
the user-supplied 'selctx' string may not be nul-terminated.

From initial analysis, it seems that the strlen() called from
selinux_string_to_sid() could run until it arbitrarily finds a zero,
and possibly cause a kernel oops before then.

The impact of this appears limited because the operation requires
CAP_NET_ADMIN, which is essentially always root.  Also, the module is
not yet in wide use.

Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/xt_SECMARK.c

index c2ce9c4011cc4997bdcc9c1c5e7f9e3a39155fae..de9537ad9a7c5307f48cdbe41147e88ae19132a3 100644 (file)
@@ -57,6 +57,8 @@ static int checkentry_selinux(struct xt_secmark_target_info *info)
 {
        int err;
        struct xt_secmark_target_selinux_info *sel = &info->u.sel;
+       
+       sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
 
        err = selinux_string_to_sid(sel->selctx, &sel->selsid);
        if (err) {