diff options
author | Mathias Krause <minipli@googlemail.com> | 2013-04-06 21:51:57 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-04-07 16:28:02 -0400 |
commit | 3ce5efad47b62c57a4f5c54248347085a750ce0e (patch) | |
tree | 6ea783a53cab3815f147b9ade4bda5b3ad09b177 /net/netrom/af_netrom.c | |
parent | c77a4b9cffb6215a15196ec499490d116dfad181 (diff) |
netrom: fix info leak via msg_name in nr_recvmsg()
In case msg_name is set the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of
struct sockaddr_ax25 inserted by the compiler for alignment. Also
the sax25_ndigis member does not get assigned, leaking four more
bytes.
Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.
Fix both issues by initializing the memory with memset(0).
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netrom/af_netrom.c')
-rw-r--r-- | net/netrom/af_netrom.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index d1fa1d9ffd2e..7fcb307dea47 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c | |||
@@ -1173,6 +1173,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock, | |||
1173 | } | 1173 | } |
1174 | 1174 | ||
1175 | if (sax != NULL) { | 1175 | if (sax != NULL) { |
1176 | memset(sax, 0, sizeof(sax)); | ||
1176 | sax->sax25_family = AF_NETROM; | 1177 | sax->sax25_family = AF_NETROM; |
1177 | skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, | 1178 | skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, |
1178 | AX25_ADDR_LEN); | 1179 | AX25_ADDR_LEN); |