releases/3.4.51/packet-packet_getname_spkt-make-sure-string-is-always-0-terminated.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From adca36db5f6cf43e1459ae8840eb5dceeaa14146 Mon Sep 17 00:00:00 2001
 From: Daniel Borkmann <dborkman@redhat.com>
 Date: Wed, 12 Jun 2013 16:02:27 +0200
 Subject: packet: packet_getname_spkt: make sure string is always 0-terminated

 From: Daniel Borkmann <dborkman@redhat.com>

 [ Upstream commit 2dc85bf323515e59e15dfa858d1472bb25cad0fe ]

 uaddr->sa_data is exactly of size 14, which is hard-coded here and
 passed as a size argument to strncpy(). A device name can be of size
 IFNAMSIZ (== 16), meaning we might leave the destination string
 unterminated. Thus, use strlcpy() and also sizeof() while we're
 at it. We need to memset the data area beforehand, since strlcpy
 does not padd the remaining buffer with zeroes for user space, so
 that we do not possibly leak anything.

 Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/packet/af_packet.c |    5 ++---
  1 file changed, 2 insertions(+), 3 deletions(-)

 --- a/net/packet/af_packet.c
 +++ b/net/packet/af_packet.c
 @@ -2848,12 +2848,11 @@ static int packet_getname_spkt(struct so
  		return -EOPNOTSUPP;

  	uaddr->sa_family = AF_PACKET;
 +	memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
  	rcu_read_lock();
  	dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
  	if (dev)
 -		strncpy(uaddr->sa_data, dev->name, 14);
 -	else
 -		memset(uaddr->sa_data, 0, 14);
 +		strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
  	rcu_read_unlock();
  	*uaddr_len = sizeof(*uaddr);
	From adca36db5f6cf43e1459ae8840eb5dceeaa14146 Mon Sep 17 00:00:00 2001
	From: Daniel Borkmann <dborkman@redhat.com>
	Date: Wed, 12 Jun 2013 16:02:27 +0200
	Subject: packet: packet_getname_spkt: make sure string is always 0-terminated

	From: Daniel Borkmann <dborkman@redhat.com>

	[ Upstream commit 2dc85bf323515e59e15dfa858d1472bb25cad0fe ]

	uaddr->sa_data is exactly of size 14, which is hard-coded here and
	passed as a size argument to strncpy(). A device name can be of size
	IFNAMSIZ (== 16), meaning we might leave the destination string
	unterminated. Thus, use strlcpy() and also sizeof() while we're
	at it. We need to memset the data area beforehand, since strlcpy
	does not padd the remaining buffer with zeroes for user space, so
	that we do not possibly leak anything.

	Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/packet/af_packet.c \| 5 ++---
	1 file changed, 2 insertions(+), 3 deletions(-)

	--- a/net/packet/af_packet.c
	+++ b/net/packet/af_packet.c
	@@ -2848,12 +2848,11 @@ static int packet_getname_spkt(struct so
	return -EOPNOTSUPP;

	uaddr->sa_family = AF_PACKET;
	+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
	rcu_read_lock();
	dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
	if (dev)
	- strncpy(uaddr->sa_data, dev->name, 14);
	- else
	- memset(uaddr->sa_data, 0, 14);
	+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
	rcu_read_unlock();
	uaddr_len = sizeof(uaddr);