Commit a280b899 authored by James Morris's avatar James Morris Committed by David S. Miller

[SECURITY] secmark: nul-terminate secdata

The patch below fixes a problem in the iptables SECMARK target, where
the user-supplied 'selctx' string may not be nul-terminated.

From initial analysis, it seems that the strlen() called from
selinux_string_to_sid() could run until it arbitrarily finds a zero,
and possibly cause a kernel oops before then.

The impact of this appears limited because the operation requires
CAP_NET_ADMIN, which is essentially always root.  Also, the module is
not yet in wide use.
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent e795d092
...@@ -58,6 +58,8 @@ static int checkentry_selinux(struct xt_secmark_target_info *info) ...@@ -58,6 +58,8 @@ static int checkentry_selinux(struct xt_secmark_target_info *info)
int err; int err;
struct xt_secmark_target_selinux_info *sel = &info->u.sel; struct xt_secmark_target_selinux_info *sel = &info->u.sel;
sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
err = selinux_string_to_sid(sel->selctx, &sel->selsid); err = selinux_string_to_sid(sel->selctx, &sel->selsid);
if (err) { if (err) {
if (err == -EINVAL) if (err == -EINVAL)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment