[hardy,CVE,1/1] net: tipc: fix information leak to userland

Submitted by Andy Whitcroft on Feb. 1, 2011, 3:53 p.m.


Message ID 1296575581-31913-2-git-send-email-apw@canonical.com
State Accepted
Commit faec0e51e0e2d9cb009937e9318e939497a3220a
Headers show

Commit Message

Andy Whitcroft Feb. 1, 2011, 3:53 p.m.
From: Kulikov Vasiliy <segooon@gmail.com>

Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized.  It leads to leaking of
contents of kernel stack memory.  We have to initialize them to zero.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

(backported from commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream)
BugLink: http://bugs.launchpad.net/bugs/711291
Signed-off-by: Andy Whitcroft <apw@canonical.com>
 net/tipc/socket.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 24ddfd2..a7be154 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -370,6 +370,7 @@  static int get_name(struct socket *sock, struct sockaddr *uaddr,
 	if (down_interruptible(&tsock->sem))
 		return -ERESTARTSYS;
+	memset(addr, 0, sizeof(*addr));
 	*uaddr_len = sizeof(*addr);
 	addr->addrtype = TIPC_ADDR_ID;
 	addr->family = AF_TIPC;