@@ -1834,6 +1834,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
if (!sock)
goto out;
+ memset(&address, 0, sizeof(address));
msg.msg_control = NULL;
msg.msg_controllen = 0;
msg.msg_iovlen = 1;
@@ -2228,6 +2229,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
uaddr = (__force void __user *)msg_sys->msg_name;
uaddr_len = COMPAT_NAMELEN(msg);
+ if (uaddr != NULL)
+ memset(&addr, 0, sizeof(addr));
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
} else
If a blocking read waits on a socket which gets concurrently shut down we return 0 as error and so indicate success to the socket functions which thus copy an uninitialized stack allocated address back to the user. Fix this by clearing the 128 byte size (on x86-64) address first. This patch fixes the problem for recvfrom, recvmsg and recvmmsg. Reported-by: mpb <mpb.mail@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> --- net/socket.c | 3 +++ 1 file changed, 3 insertions(+)