Patchwork [3.5.y.z,extended,stable] Patch "llc: Fix missing msg_namelen update in llc_ui_recvmsg()" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:34 p.m.
Message ID <1367451248-19701-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/240843/
State New
Headers show

Comments

Luis Henriques - May 1, 2013, 11:34 p.m.
This is a note to let you know that I have just added a patch titled

    llc: Fix missing msg_namelen update in llc_ui_recvmsg()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From 43db3463d77387c239e0ac5646c3eaee79d34b0e Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Sun, 7 Apr 2013 01:51:56 +0000
Subject: [PATCH] llc: Fix missing msg_namelen update in llc_ui_recvmsg()

commit c77a4b9cffb6215a15196ec499490d116dfad181 upstream.

For stream sockets the code misses to update the msg_namelen member
to 0 and therefore makes net/socket.c leak the local, uninitialized
sockaddr_storage variable to userland -- 128 bytes of kernel stack
memory. The msg_namelen update is also missing for datagram sockets
in case the socket is shutting down during receive.

Fix both issues by setting msg_namelen to 0 early. It will be
updated later if we're going to fill the msg_name member.

Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/llc/af_llc.c | 2 ++
 1 file changed, 2 insertions(+)

--
1.8.1.2

Patch

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index a13c3e2..445882cb 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -720,6 +720,8 @@  static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
 	int target;	/* Read at least this many bytes */
 	long timeo;

+	msg->msg_namelen = 0;
+
 	lock_sock(sk);
 	copied = -ENOTCONN;
 	if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))