| From 36a962bf17a2c7cc38cb5a33acf134c6b0eee800 Mon Sep 17 00:00:00 2001 |
| From: Vasiliy Kulikov <segooon@gmail.com> |
| Date: Wed, 10 Nov 2010 12:09:10 -0800 |
| Subject: [PATCH] net: packet: fix information leak to userland |
| |
| commit 67286640f638f5ad41a946b9a3dc75327950248f upstream |
| |
| packet_getname_spkt() doesn't initialize all members of sa_data field of |
| sockaddr struct if strlen(dev->name) < 13. This structure is then copied |
| to userland. It leads to leaking of contents of kernel stack memory. |
| We have to fully fill sa_data with strncpy() instead of strlcpy(). |
| |
| The same with packet_getname(): it doesn't initialize sll_pkttype field of |
| sockaddr_ll. Set it to zero. |
| |
| Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
| index 243946d..b1bc2d2 100644 |
| --- a/net/packet/af_packet.c |
| +++ b/net/packet/af_packet.c |
| @@ -1645,7 +1645,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, |
| rcu_read_lock(); |
| dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); |
| if (dev) |
| - strlcpy(uaddr->sa_data, dev->name, 15); |
| + strncpy(uaddr->sa_data, dev->name, 14); |
| else |
| memset(uaddr->sa_data, 0, 14); |
| rcu_read_unlock(); |
| @@ -1668,6 +1668,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, |
| sll->sll_family = AF_PACKET; |
| sll->sll_ifindex = po->ifindex; |
| sll->sll_protocol = po->num; |
| + sll->sll_pkttype = 0; |
| rcu_read_lock(); |
| dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); |
| if (dev) { |
| -- |
| 1.7.4.4 |
| |