First published: Thu Mar 10 2011(Updated: )
'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes. It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user. <a href="http://marc.info/?l=netfilter-devel&m=130036157327564&w=2">http://marc.info/?l=netfilter-devel&m=130036157327564&w=2</a> Proposed patch: <a href="http://git.kernel.org/?p=linux/kernel/git/kaber/nf-2.6.git;a=commitdiff;h=961ed183a9fd080cf306c659b8736007e44065a5">http://git.kernel.org/?p=linux/kernel/git/kaber/nf-2.6.git;a=commitdiff;h=961ed183a9fd080cf306c659b8736007e44065a5</a> Acknowledgements: Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <2.6.39 | |
debian/linux-2.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.