sashiko says: hlp struct is copied from userspace without forcing null-termination of hlp.name [..} is passed to request_module(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Florian Westphal --- Many more reported issues, will go through this next week. net/bridge/netfilter/ebtables.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 2a3ac58d5529..d5640a57a2eb 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1440,6 +1440,8 @@ static int update_counters(struct net *net, sockptr_t arg, unsigned int len) if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) return -EINVAL; + hlp.name[sizeof(hlp.name) - 1] = 0; + return do_update_counters(net, hlp.name, hlp.counters, hlp.num_counters, len); } @@ -2401,6 +2403,8 @@ static int compat_update_counters(struct net *net, sockptr_t arg, if (len != sizeof(hlp) + hlp.num_counters * sizeof(struct ebt_counter)) return update_counters(net, arg, len); + hlp.name[sizeof(hlp.name) - 1] = 0; + return do_update_counters(net, hlp.name, compat_ptr(hlp.counters), hlp.num_counters, len); } -- 2.55.0