Patchwork [3.5.y.z,extended,stable] Patch "caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:33 p.m.
Message ID <1367451239-19583-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/240838/
State New
Headers show

Comments

Luis Henriques - May 1, 2013, 11:33 p.m.
This is a note to let you know that I have just added a patch titled

    caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From b339bbf1b09cb848af20fad36696bf6ca537b3b8 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Sun, 7 Apr 2013 01:51:52 +0000
Subject: [PATCH] caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()

commit 2d6fbfe733f35c6b355c216644e08e149c61b271 upstream.

The current code does not fill the msg_name member in case it is set.
It also does not set the msg_namelen member to 0 and therefore makes
net/socket.c leak the local, uninitialized sockaddr_storage variable
to userland -- 128 bytes of kernel stack memory.

Fix that by simply setting msg_namelen to 0 as obviously nobody cared
about caif_seqpkt_recvmsg() not filling the msg_name in case it was
set.

Cc: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/caif/caif_socket.c | 2 ++
 1 file changed, 2 insertions(+)

--
1.8.1.2

Patch

diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 78f1cda..21a1840 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -286,6 +286,8 @@  static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
 	if (m->msg_flags&MSG_OOB)
 		goto read_error;

+	m->msg_namelen = 0;
+
 	skb = skb_recv_datagram(sk, flags, 0 , &ret);
 	if (!skb)
 		goto read_error;