Patchwork [3.5.y.z,extended,stable] Patch "caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()" has been added to staging queue

mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:33 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/240838/
State New
Headers show


Luis Henriques - May 1, 2013, 11:33 p.m.
This is a note to let you know that I have just added a patch titled

    caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From b339bbf1b09cb848af20fad36696bf6ca537b3b8 Mon Sep 17 00:00:00 2001
From: Mathias Krause <>
Date: Sun, 7 Apr 2013 01:51:52 +0000
Subject: [PATCH] caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()

commit 2d6fbfe733f35c6b355c216644e08e149c61b271 upstream.

The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.

Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about caif_seqpkt_recvmsg() not filling the msg_name in case it was

Cc: Sjur Braendeland <>
Signed-off-by: Mathias Krause <>
Signed-off-by: David S. Miller <>
Signed-off-by: Luis Henriques <>
 net/caif/caif_socket.c | 2 ++
 1 file changed, 2 insertions(+)



diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 78f1cda..21a1840 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -286,6 +286,8 @@  static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
 	if (m->msg_flags&MSG_OOB)
 		goto read_error;

+	m->msg_namelen = 0;
 	skb = skb_recv_datagram(sk, flags, 0 , &ret);
 	if (!skb)
 		goto read_error;