| From 9a94d0f9e8bbeeb627d9638aa4c296b5db62f1cc Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Wed, 15 Aug 2012 11:31:51 +0000 |
| Subject: [PATCH] Bluetooth: L2CAP - Fix info leak via getsockname() |
| |
| commit 792039c73cf176c8e39a6e8beef2c94ff46522ed upstream. |
| |
| The L2CAP code fails to initialize the l2_bdaddr_type member of struct |
| sockaddr_l2 and the padding byte added for alignment. It that for leaks |
| two bytes kernel stack via the getsockname() syscall. Add an explicit |
| memset(0) before filling the structure to avoid the info leak. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Cc: Marcel Holtmann <marcel@holtmann.org> |
| Cc: Gustavo Padovan <gustavo@padovan.org> |
| Cc: Johan Hedberg <johan.hedberg@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| [PG: net/bluetooth/l2cap_sock.c --> net/bluetooth/l2cap.c in .34] |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/bluetooth/l2cap.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c |
| index 0b6cf87d5eb0..64ccd83d52a2 100644 |
| --- a/net/bluetooth/l2cap.c |
| +++ b/net/bluetooth/l2cap.c |
| @@ -1191,6 +1191,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l |
| |
| BT_DBG("sock %p, sk %p", sock, sk); |
| |
| + memset(la, 0, sizeof(struct sockaddr_l2)); |
| addr->sa_family = AF_BLUETOOTH; |
| *len = sizeof(struct sockaddr_l2); |
| |
| -- |
| 1.8.5.2 |
| |