| From: Mathias Krause <minipli@googlemail.com> |
| Date: Sun, 7 Apr 2013 01:51:57 +0000 |
| Subject: netrom: fix info leak via msg_name in nr_recvmsg() |
| |
| [ Upstream commits 3ce5efad47b62c57a4f5c54248347085a750ce0e and |
| c802d759623acbd6e1ee9fbdabae89159a513913 ] |
| |
| In case msg_name is set the sockaddr info gets filled out, as |
| requested, but the code fails to initialize the padding bytes of |
| struct sockaddr_ax25 inserted by the compiler for alignment. Also |
| the sax25_ndigis member does not get assigned, leaking four more |
| bytes. |
| |
| Both issues lead to the fact that the code will leak uninitialized |
| kernel stack bytes in net/socket.c. |
| |
| Fix both issues by initializing the memory with memset(0). |
| |
| Cc: Ralf Baechle <ralf@linux-mips.org> |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/netrom/af_netrom.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/netrom/af_netrom.c |
| +++ b/net/netrom/af_netrom.c |
| @@ -1178,6 +1178,7 @@ static int nr_recvmsg(struct kiocb *iocb |
| } |
| |
| if (sax != NULL) { |
| + memset(sax, 0, sizeof(sax)); |
| sax->sax25_family = AF_NETROM; |
| skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, |
| AX25_ADDR_LEN); |