netfilter: xt_RATEEST: reject non-null terminated string from userspace

commit 6cb56218ad9e580e519dcd23bfb3db08d8692e5a upstream. syzbot reports: detected buffer overflow in strlen [..] Call Trace: strlen include/linux/string.h:325 [inline] strlcpy include/linux/string.h:348 [inline] xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 strlcpy assumes src is a c-string. Check info->name before its used. Reported-by: syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Florian Westphal <fw@strlen.de> 2020-12-22 23:23:56 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-01-12 20:09:14 +0100
commit: 1ee314a4ff2b55002fc4792eabd5cea24a5b1266 (patch)
tree: 27c47a094cd8e3685ecb1f7686b1862900b017bf
parent: 45eb54786f96f2790e00db85b4afc40928342170 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 141c295191f6..1c6683dfbc5b 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -106,6 +106,9 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
 	} cfg;
 	int ret;
 
+	if (strnlen(info->name, sizeof(est->name)) >= sizeof(est->name))
+		return -ENAMETOOLONG;
+
 	net_get_random_once(&jhash_rnd, sizeof(jhash_rnd));
 
 	mutex_lock(&xt_rateest_mutex);
author	Florian Westphal <fw@strlen.de>	2020-12-22 23:23:56 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-01-12 20:09:14 +0100
commit	1ee314a4ff2b55002fc4792eabd5cea24a5b1266 (patch)
tree	27c47a094cd8e3685ecb1f7686b1862900b017bf
parent	45eb54786f96f2790e00db85b4afc40928342170 (diff)