| From 96f4c1593cee99131d5729361f430ae2bd3e7aa6 Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Sun, 7 Apr 2013 01:51:49 +0000 |
| Subject: [PATCH] Bluetooth: fix possible info leak in bt_sock_recvmsg() |
| |
| commit 4683f42fde3977bdb4e8a09622788cc8b5313778 upstream. |
| |
| In case the socket is already shutting down, bt_sock_recvmsg() returns |
| with 0 without updating msg_namelen leading to net/socket.c leaking the |
| local, uninitialized sockaddr_storage variable to userland -- 128 bytes |
| of kernel stack memory. |
| |
| Fix this by moving the msg_namelen assignment in front of the shutdown |
| test. |
| |
| Cc: Marcel Holtmann <marcel@holtmann.org> |
| Cc: Gustavo Padovan <gustavo@padovan.org> |
| Cc: Johan Hedberg <johan.hedberg@gmail.com> |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/bluetooth/af_bluetooth.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c |
| index 404a8500fd03..0891857b7ca2 100644 |
| --- a/net/bluetooth/af_bluetooth.c |
| +++ b/net/bluetooth/af_bluetooth.c |
| @@ -240,14 +240,14 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, |
| if (flags & (MSG_OOB)) |
| return -EOPNOTSUPP; |
| |
| + msg->msg_namelen = 0; |
| + |
| if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) { |
| if (sk->sk_shutdown & RCV_SHUTDOWN) |
| return 0; |
| return err; |
| } |
| |
| - msg->msg_namelen = 0; |
| - |
| copied = skb->len; |
| if (len < copied) { |
| msg->msg_flags |= MSG_TRUNC; |
| -- |
| 1.8.5.2 |
| |