diff mbox

[maverick/lucid/karmic,CVE,1/1] net: tipc: fix information leak to userland

Message ID 1296575581-31913-3-git-send-email-apw@canonical.com
State Accepted
Commit 3d9de2af68a0a1a242f1ff5cda734bdfe05fdce7
Headers show

Commit Message

Andy Whitcroft Feb. 1, 2011, 3:53 p.m. UTC 
From: Kulikov Vasiliy <segooon@gmail.com>

Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized.  It leads to leaking of
contents of kernel stack memory.  We have to initialize them to zero.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2010-3877
(cherry picked from commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream)
BugLink: http://bugs.launchpad.net/bugs/711291
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/tipc/socket.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
diff mbox

Patch

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 66e889b..1a5f62a 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -395,6 +395,7 @@  static int get_name(struct socket *sock, struct sockaddr *uaddr,
 	struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
 	struct tipc_sock *tsock = tipc_sk(sock->sk);
 
+	memset(addr, 0, sizeof(*addr));
 	if (peer) {
 		if ((sock->state != SS_CONNECTED) &&
 			((peer != 2) || (sock->state != SS_DISCONNECTING)))