netfilter: ipt_CLUSTERIP: fix buffer overflow

commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.

'buffer' string is copied from userspace.  It is not checked whether it is
zero terminated.  This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index fafe8ebb4c552f1738c8d3b617a6026e84b77631..b41b9b13261fc01d873d9490496b6b7f71895901 100644 (file)
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -672,8 +672,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
        struct clusterip_config *c = pde->data;
        unsigned long nodenum;
 
-       if (copy_from_user(buffer, input, PROC_WRITELEN))
+       if (size > PROC_WRITELEN)
+               return -EIO;
+       if (copy_from_user(buffer, input, size))
                return -EFAULT;
+       buffer[size] = 0;
 
        if (*buffer == '+') {
                nodenum = simple_strtoul(buffer+1, NULL, 10);