netfilter: nf_log: fix direct userspace memory access in proc handler

Signed-off-by: Patrick McHardy <kaber@trash.net>

netfilter: nf_log: fix direct userspace memory access in proc handler
Signed-off-by: Patrick McHardy <kaber@trash.net>
Patrick McHardy
1 parent f9ffc31251
Showing 1 changed file with 11 additions and 5 deletions Side-by-side Diff
net/netfilter/nf_log.c
@@ -47,7 +47,6 @@
 	mutex_lock(&nf_log_mutex);
  
 	if (pf == NFPROTO_UNSPEC) {
-		int i;
 		for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
 			list_add_tail(&(logger->list[i]), &(nf_loggers_l[i]));
 	} else {
@@ -216,7 +215,7 @@
 #endif /* PROC_FS */
  
 #ifdef CONFIG_SYSCTL
-struct ctl_path nf_log_sysctl_path[] = {
+static struct ctl_path nf_log_sysctl_path[] = {
 	{ .procname = "net", .ctl_name = CTL_NET, },
 	{ .procname = "netfilter", .ctl_name = NET_NETFILTER, },
 	{ .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, },
  
  
  
@@ -228,19 +227,26 @@
 static struct ctl_table_header *nf_log_dir_header;
  
 static int nf_log_proc_dostring(ctl_table *table, int write, struct file *filp,
-			 void *buffer, size_t *lenp, loff_t *ppos)
+			 void __user *buffer, size_t *lenp, loff_t *ppos)
 {
 	const struct nf_logger *logger;
+	char buf[NFLOGGER_NAME_LEN];
+	size_t size = *lenp;
 	int r = 0;
 	int tindex = (unsigned long)table->extra1;
  
 	if (write) {
-		if (!strcmp(buffer, "NONE")) {
+		if (size > sizeof(buf))
+			size = sizeof(buf);
+		if (copy_from_user(buf, buffer, size))
+			return -EFAULT;
+
+		if (!strcmp(buf, "NONE")) {
 			nf_log_unbind_pf(tindex);
 			return 0;
 		}
 		mutex_lock(&nf_log_mutex);
-		logger = __find_logger(tindex, buffer);
+		logger = __find_logger(tindex, buf);
 		if (logger == NULL) {
 			mutex_unlock(&nf_log_mutex);
 			return -ENOENT;
...	...	@@ -47,7 +47,6 @@
47	47	mutex_lock(&nf_log_mutex);
48	48
49	49	if (pf == NFPROTO_UNSPEC) {
50		- int i;
51	50	for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
52	51	list_add_tail(&(logger->list[i]), &(nf_loggers_l[i]));
53	52	} else {
...	...	@@ -216,7 +215,7 @@
216	215	#endif /* PROC_FS */
217	216
218	217	#ifdef CONFIG_SYSCTL
219		-struct ctl_path nf_log_sysctl_path[] = {
	218	+static struct ctl_path nf_log_sysctl_path[] = {
220	219	{ .procname = "net", .ctl_name = CTL_NET, },
221	220	{ .procname = "netfilter", .ctl_name = NET_NETFILTER, },
222	221	{ .procname = "nf_log", .ctl_name = CTL_UNNUMBERED, },
223	222
224	223
225	224
...	...	@@ -228,19 +227,26 @@
228	227	static struct ctl_table_header *nf_log_dir_header;
229	228
230	229	static int nf_log_proc_dostring(ctl_table table, int write, struct file filp,
231		- void buffer, size_t lenp, loff_t *ppos)
	230	+ void __user buffer, size_t lenp, loff_t *ppos)
232	231	{
233	232	const struct nf_logger *logger;
	233	+ char buf[NFLOGGER_NAME_LEN];
	234	+ size_t size = *lenp;
234	235	int r = 0;
235	236	int tindex = (unsigned long)table->extra1;
236	237
237	238	if (write) {
238		- if (!strcmp(buffer, "NONE")) {
	239	+ if (size > sizeof(buf))
	240	+ size = sizeof(buf);
	241	+ if (copy_from_user(buf, buffer, size))
	242	+ return -EFAULT;
	243	+
	244	+ if (!strcmp(buf, "NONE")) {
239	245	nf_log_unbind_pf(tindex);
240	246	return 0;
241	247	}
242	248	mutex_lock(&nf_log_mutex);
243		- logger = __find_logger(tindex, buffer);
	249	+ logger = __find_logger(tindex, buf);
244	250	if (logger == NULL) {
245	251	mutex_unlock(&nf_log_mutex);
246	252	return -ENOENT;