From: James Morris Date: Mon, 31 Jul 2006 03:46:38 +0000 (-0700) Subject: [SECURITY] secmark: nul-terminate secdata X-Git-Tag: v2.6.18-rc4~65^2~16 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a280b89982f48e9a32c6410a37419b12ca88af6b;p=linux-2.6 [SECURITY] secmark: nul-terminate secdata The patch below fixes a problem in the iptables SECMARK target, where the user-supplied 'selctx' string may not be nul-terminated. From initial analysis, it seems that the strlen() called from selinux_string_to_sid() could run until it arbitrarily finds a zero, and possibly cause a kernel oops before then. The impact of this appears limited because the operation requires CAP_NET_ADMIN, which is essentially always root. Also, the module is not yet in wide use. Signed-off-by: James Morris Signed-off-by: Stephen Smalley Signed-off-by: David S. Miller --- diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index c2ce9c4011..de9537ad9a 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -57,6 +57,8 @@ static int checkentry_selinux(struct xt_secmark_target_info *info) { int err; struct xt_secmark_target_selinux_info *sel = &info->u.sel; + + sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; err = selinux_string_to_sid(sel->selctx, &sel->selsid); if (err) {