[NETFILTER]: xt_hashlimit/xt_string: missing string validation
authorPatrick McHardy <kaber@trash.net>
Tue, 1 Aug 2006 06:47:31 +0000 (23:47 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Wed, 2 Aug 2006 20:38:29 +0000 (13:38 -0700)
The hashlimit table name and the textsearch algorithm need to be
terminated, the textsearch pattern length must not exceed the
maximum size.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/netfilter/ipt_hashlimit.c
net/netfilter/xt_string.c

index 92980ab8ce489dacaad95a4c259c19855e0cfd01..6b662449e8253579fc9e87112590d1ac55f7e238 100644 (file)
@@ -508,6 +508,9 @@ hashlimit_checkentry(const char *tablename,
        if (!r->cfg.expire)
                return 0;
 
+       if (r->name[sizeof(r->name) - 1] != '\0')
+               return 0;
+
        /* This is the best we've got: We cannot release and re-grab lock,
         * since checkentry() is called before ip_tables.c grabs ipt_mutex.  
         * We also cannot grab the hashtable spinlock, since htable_create will 
index 0ebb6ac2c8c769a2b1a19075d10dc35a1143a32a..d8e3891b5f8bd0aa9287fd8a7af88d4a6514a6e9 100644 (file)
@@ -55,7 +55,10 @@ static int checkentry(const char *tablename,
        /* Damn, can't handle this case properly with iptables... */
        if (conf->from_offset > conf->to_offset)
                return 0;
-
+       if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
+               return 0;
+       if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
+               return 0;
        ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
                                     GFP_KERNEL, TS_AUTOLOAD);
        if (IS_ERR(ts_conf))