Patchwork [3.5.y.z,extended,stable] Patch "netrom: fix info leak via msg_name in nr_recvmsg()" has been added to staging queue

mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:34 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/240844/
State New
Headers show


Luis Henriques - May 1, 2013, 11:34 p.m.
This is a note to let you know that I have just added a patch titled

    netrom: fix info leak via msg_name in nr_recvmsg()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From eb57a65662ed9232a79b5f418acf03db836fe2ff Mon Sep 17 00:00:00 2001
From: Mathias Krause <>
Date: Sun, 7 Apr 2013 01:51:57 +0000
Subject: [PATCH] netrom: fix info leak via msg_name in nr_recvmsg()

commit 3ce5efad47b62c57a4f5c54248347085a750ce0e upstream.

In case msg_name is set the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of
struct sockaddr_ax25 inserted by the compiler for alignment. Also
the sax25_ndigis member does not get assigned, leaking four more

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix both issues by initializing the memory with memset(0).

Cc: Ralf Baechle <>
Signed-off-by: Mathias Krause <>
Signed-off-by: David S. Miller <>
Signed-off-by: Luis Henriques <>
 net/netrom/af_netrom.c | 1 +
 1 file changed, 1 insertion(+)



diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 1b9024e..72cad6c 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1177,6 +1177,7 @@  static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,

 	if (sax != NULL) {
+		memset(sax, 0, sizeof(sax));
 		sax->sax25_family = AF_NETROM;
 		skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,