| From adca36db5f6cf43e1459ae8840eb5dceeaa14146 Mon Sep 17 00:00:00 2001 |
| From: Daniel Borkmann <dborkman@redhat.com> |
| Date: Wed, 12 Jun 2013 16:02:27 +0200 |
| Subject: packet: packet_getname_spkt: make sure string is always 0-terminated |
| |
| From: Daniel Borkmann <dborkman@redhat.com> |
| |
| [ Upstream commit 2dc85bf323515e59e15dfa858d1472bb25cad0fe ] |
| |
| uaddr->sa_data is exactly of size 14, which is hard-coded here and |
| passed as a size argument to strncpy(). A device name can be of size |
| IFNAMSIZ (== 16), meaning we might leave the destination string |
| unterminated. Thus, use strlcpy() and also sizeof() while we're |
| at it. We need to memset the data area beforehand, since strlcpy |
| does not padd the remaining buffer with zeroes for user space, so |
| that we do not possibly leak anything. |
| |
| Signed-off-by: Daniel Borkmann <dborkman@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/packet/af_packet.c | 5 ++--- |
| 1 file changed, 2 insertions(+), 3 deletions(-) |
| |
| --- a/net/packet/af_packet.c |
| +++ b/net/packet/af_packet.c |
| @@ -2848,12 +2848,11 @@ static int packet_getname_spkt(struct so |
| return -EOPNOTSUPP; |
| |
| uaddr->sa_family = AF_PACKET; |
| + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data)); |
| rcu_read_lock(); |
| dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); |
| if (dev) |
| - strncpy(uaddr->sa_data, dev->name, 14); |
| - else |
| - memset(uaddr->sa_data, 0, 14); |
| + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data)); |
| rcu_read_unlock(); |
| *uaddr_len = sizeof(*uaddr); |
| |