[SECURITY] secmark: nul-terminate secdata

The patch below fixes a problem in the iptables SECMARK target, where the user-supplied 'selctx' string may not be nul-terminated. From initial analysis, it seems that the strlen() called from selinux_string_to_sid() could run until it arbitrarily finds a zero, and possibly cause a kernel oops before then. The impact of this appears limited because the operation requires CAP_NET_ADMIN, which is essentially always root. Also, the module is not yet in wide use. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David S. Miller <davem@davemloft.net>

[SECURITY] secmark: nul-terminate secdata
The patch below fixes a problem in the iptables SECMARK target, where the user-supplied 'selctx' string may not be nul-terminated. From initial analysis, it seems that the strlen() called from selinux_string_to_sid() could run until it arbitrarily finds a zero, and possibly cause a kernel oops before then. The impact of this appears limited because the operation requires CAP_NET_ADMIN, which is essentially always root. Also, the module is not yet in wide use. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David S. Miller <davem@davemloft.net>
a280b899 · James Morris · David S. Miller · e795d092 · a280b899
Commit a280b899 authored Jul 30, 2006 by James Morris Committed by David S. Miller Aug 02, 2006
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

net/netfilter/xt_SECMARK.c net/netfilter/xt_SECMARK.c +2 -0

No files found.
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -58,6 +58,8 @@ static int checkentry_selinux(struct xt_secmark_target_info *info)
 	int err;
 	struct xt_secmark_target_selinux_info *sel = &info->u.sel;
 	
+	sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
+
 	err = selinux_string_to_sid(sel->selctx, &sel->selsid);
 	if (err) {
 		if (err == -EINVAL)