diff mbox

[1/2] tipc: fix an infoleak in tipc_nl_compat_link_dump

Message ID 1468504927-30789-2-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques July 14, 2016, 2:02 p.m. UTC 
From: Kangjie Lu <kangjielu@gmail.com>

link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2)
CVE-2016-5243
BugLink: https://bugs.launchpad.net/bugs/1589036
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/tipc/netlink_compat.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff mbox

Patch

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 2ed732bfe94b..f4f27c7c54fb 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -574,7 +574,8 @@  static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
 
 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
-	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
+	nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]),
+		    TIPC_MAX_LINK_NAME);
 
 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
 			    &link_info, sizeof(link_info));