diff mbox

[Lucid,CVE-2013-2634] dcbnl: fix various netlink info leaks

Message ID 1365772619-12264-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques April 12, 2013, 1:16 p.m. UTC 
From: Mathias Krause <minipli@googlemail.com>

CVE-2013-2634

BugLink: http://bugs.launchpad.net/bugs/1158965

The dcb netlink interface leaks stack memory in various places:
* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
  copied completely,
* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
  so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
  for ieee_pfc structs, etc.,
* the same is true for CEE -- no in-kernel driver fills the whole
  struct,

Prevent all of the above stack info leaks by properly initializing the
buffers/structures involved.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/dcb/dcbnl.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Stefan Bader April 12, 2013, 2:01 p.m. UTC | #1 
Looks like only this single hunk remains for L.
Tim Gardner April 12, 2013, 2:07 p.m. UTC | #2
diff mbox

Patch

diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index ac1205d..813fe4b 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -307,6 +307,7 @@  static int dcbnl_getperm_hwaddr(struct net_device *netdev, struct nlattr **tb,
 	dcb->dcb_family = AF_UNSPEC;
 	dcb->cmd = DCB_CMD_GPERM_HWADDR;
 
+	memset(perm_addr, 0, sizeof(perm_addr));
 	netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
 
 	ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),