| Message ID | 1368093700-6678-2-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Thu, May 09, 2013 at 11:01:40AM +0100, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2013-3222 > > BugLink: https://bugs.launchpad.net/bugs/1172365 > > The current code does not fill the msg_name member in case it is set. > It also does not set the msg_namelen member to 0 and therefore makes > net/socket.c leak the local, uninitialized sockaddr_storage variable > to userland -- 128 bytes of kernel stack memory. > > Fix that by simply setting msg_namelen to 0 as obviously nobody cared > about vcc_recvmsg() not filling the msg_name in case it was set. > > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > net/atm/common.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/atm/common.c b/net/atm/common.c > index 806fc0a..cf4b7e6 100644 > --- a/net/atm/common.c > +++ b/net/atm/common.c > @@ -532,6 +532,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, > struct sk_buff *skb; > int copied, error = -EINVAL; > > + msg->msg_namelen = 0; > + > if (sock->state != SS_CONNECTED) > return -ENOTCONN; Looks to be a cherry-pick indeed, and to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
diff --git a/net/atm/common.c b/net/atm/common.c index 806fc0a..cf4b7e6 100644 --- a/net/atm/common.c +++ b/net/atm/common.c @@ -532,6 +532,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, struct sk_buff *skb; int copied, error = -EINVAL; + msg->msg_namelen = 0; + if (sock->state != SS_CONNECTED) return -ENOTCONN;