| From 6bcc4146079e2b4c3e78591e595094f5bea90d9a Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Sun, 7 Apr 2013 01:51:49 +0000 |
| Subject: Bluetooth: fix possible info leak in bt_sock_recvmsg() |
| |
| |
| From: Mathias Krause <minipli@googlemail.com> |
| |
| [ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ] |
| |
| In case the socket is already shutting down, bt_sock_recvmsg() returns |
| with 0 without updating msg_namelen leading to net/socket.c leaking the |
| local, uninitialized sockaddr_storage variable to userland -- 128 bytes |
| of kernel stack memory. |
| |
| Fix this by moving the msg_namelen assignment in front of the shutdown |
| test. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Cc: Marcel Holtmann <marcel@holtmann.org> |
| Cc: Gustavo Padovan <gustavo@padovan.org> |
| Cc: Johan Hedberg <johan.hedberg@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/bluetooth/af_bluetooth.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/net/bluetooth/af_bluetooth.c |
| +++ b/net/bluetooth/af_bluetooth.c |
| @@ -240,6 +240,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, |
| if (flags & (MSG_OOB)) |
| return -EOPNOTSUPP; |
| |
| + msg->msg_namelen = 0; |
| + |
| skb = skb_recv_datagram(sk, flags, noblock, &err); |
| if (!skb) { |
| if (sk->sk_shutdown & RCV_SHUTDOWN) |
| @@ -247,8 +249,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, |
| return err; |
| } |
| |
| - msg->msg_namelen = 0; |
| - |
| copied = skb->len; |
| if (len < copied) { |
| msg->msg_flags |= MSG_TRUNC; |