| From 6671ade6feb2e93861cb30cce6933b6ce7684791 Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Sun, 7 Apr 2013 01:51:55 +0000 |
| Subject: l2tp: fix info leak in l2tp_ip6_recvmsg() |
| |
| |
| From: Mathias Krause <minipli@googlemail.com> |
| |
| [ Upstream commit b860d3cc62877fad02863e2a08efff69a19382d2 ] |
| |
| The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of |
| struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack |
| in l2tp_ip6_recvmsg() in case msg_name is set. |
| |
| Initialize l2tp_conn_id with 0 to avoid the info leak. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/l2tp/l2tp_ip6.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/l2tp/l2tp_ip6.c |
| +++ b/net/l2tp/l2tp_ip6.c |
| @@ -684,6 +684,7 @@ static int l2tp_ip6_recvmsg(struct kiocb |
| lsa->l2tp_addr = ipv6_hdr(skb)->saddr; |
| lsa->l2tp_flowinfo = 0; |
| lsa->l2tp_scope_id = 0; |
| + lsa->l2tp_conn_id = 0; |
| if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL) |
| lsa->l2tp_scope_id = IP6CB(skb)->iif; |
| } |