[Coverity] Untrusted user data in kernel
Patrick McHardy
kaber at trash.net
Fri Dec 17 06:25:37 CET 2004
James Morris wrote:
>This at least needs CAP_NET_ADMIN.
>
It is already checked in do_ip6t_set_ctl(). Otherwise anyone could
replace iptables rules :)
Regards
Patrick
>
>On Thu, 16 Dec 2004, Bryan Fulton wrote:
>
>
>>////////////////////////////////////////////////////////
>>// 3: /net/ipv6/netfilter/ip6_tables.c::do_replace //
>>////////////////////////////////////////////////////////
>>
>>- tainted unsigned scalar tmp.num_counters multiplied and passed to
>>vmalloc (1161) and memset (1166) which could overflow or be too large
>>
>>Call to function "copy_from_user" TAINTS argument "tmp"
>>
>>1143 if (copy_from_user(&tmp, user, sizeof(tmp)) != 0)
>>1144 return -EFAULT;
>>
>>...
>>
>>TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
>>sink.
>>
>>1161 counters = vmalloc(tmp.num_counters * sizeof(struct
>>ip6t_counters));
>>1162 if (!counters) {
>>1163 ret = -ENOMEM;
>>1164 goto free_newinfo;
>>1165 }
>>
>>TAINTED variable "((tmp).num_counters * 16)" was passed to a tainted
>>sink.
>>
>>1166 memset(counters, 0, tmp.num_counters * sizeof(struct
>>ip6t_counters));
>>
>>
>>
>
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
More information about the netfilter-devel
mailing list