| From f2c9def51f6071d442897b2148bf1dd617a9b5b7 Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Sun, 7 Apr 2013 01:51:58 +0000 |
| Subject: NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() |
| |
| |
| From: Mathias Krause <minipli@googlemail.com> |
| |
| [ Upstream commit d26d6504f23e803824e8ebd14e52d4fc0a0b09cb ] |
| |
| The code in llcp_sock_recvmsg() does not initialize all the members of |
| struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it |
| initialize the padding bytes of the structure inserted by the compiler |
| for alignment. |
| |
| Also, if the socket is in state LLCP_CLOSED or is shutting down during |
| receive the msg_namelen member is not updated to 0 while otherwise |
| returning with 0, i.e. "success". The msg_namelen update is also |
| missing for stream and seqpacket sockets which don't fill the sockaddr |
| info. |
| |
| Both issues lead to the fact that the code will leak uninitialized |
| kernel stack bytes in net/socket.c. |
| |
| Fix the first issue by initializing the memory used for sockaddr info |
| with memset(0). Fix the second one by setting msg_namelen to 0 early. |
| It will be updated later if we're going to fill the msg_name member. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org> |
| Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> |
| Cc: Samuel Ortiz <sameo@linux.intel.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/nfc/llcp/sock.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/net/nfc/llcp/sock.c |
| +++ b/net/nfc/llcp/sock.c |
| @@ -514,6 +514,8 @@ static int llcp_sock_recvmsg(struct kioc |
| |
| pr_debug("%p %zu\n", sk, len); |
| |
| + msg->msg_namelen = 0; |
| + |
| lock_sock(sk); |
| |
| if (sk->sk_state == LLCP_CLOSED && |