| From 68aab8bd93de308a71ed9b069ea2fe11ad41e50f Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Wed, 15 Aug 2012 11:31:50 +0000 |
| Subject: [PATCH] Bluetooth: RFCOMM - Fix info leak via getsockname() |
| |
| commit 9344a972961d1a6d2c04d9008b13617bcb6ec2ef upstream. |
| |
| The RFCOMM code fails to initialize the trailing padding byte of struct |
| sockaddr_rc added for alignment. It that for leaks one byte kernel stack |
| via the getsockname() syscall. Add an explicit memset(0) before filling |
| the structure to avoid the info leak. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Cc: Marcel Holtmann <marcel@holtmann.org> |
| Cc: Gustavo Padovan <gustavo@padovan.org> |
| Cc: Johan Hedberg <johan.hedberg@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/bluetooth/rfcomm/sock.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c |
| index b045bbbc2353..92aa7a012110 100644 |
| --- a/net/bluetooth/rfcomm/sock.c |
| +++ b/net/bluetooth/rfcomm/sock.c |
| @@ -547,6 +547,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int * |
| |
| BT_DBG("sock %p, sk %p", sock, sk); |
| |
| + memset(sa, 0, sizeof(*sa)); |
| sa->rc_family = AF_BLUETOOTH; |
| sa->rc_channel = rfcomm_pi(sk)->channel; |
| if (peer) |
| -- |
| 1.8.5.2 |
| |