'buffer' string is copied from userspace. It is not checked whether it is zero terminated. This may lead to overflow inside of simple_strtoul(). Changli Gao suggested to copy not more than user supplied 'size' bytes.
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are root writable only by default, however, on some setups permissions might be relaxed to e.g. network admin user.
Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
Didn't assign a CVE name for this one as the default perms for this is S_IWUSR|S_IRUSR. But MITRE might assign one.
(In reply to comment #4)
> Didn't assign a CVE name for this one as the default perms for this is
> S_IWUSR|S_IRUSR. But MITRE might assign one.
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2534 to
the following vulnerability:
Buffer overflow in the clusterip_proc_write function in
net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel before 2.6.39
might allow local users to cause a denial of service or have
unspecified other impact via a crafted write operation, related to
string data that lacks a terminating '\0' character.
This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not have support for ipt_CLUSTERIP. This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via http://rhn.redhat.com/errata/RHSA-2011-0833.html, http://rhn.redhat.com/errata/RHSA-2011-0498.html, and http://rhn.redhat.com/errata/RHSA-2011-0500.html.