45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From: Mathias Krause <minipli@googlemail.com>
|
|
Date: Wed, 15 Aug 2012 11:31:53 +0000
|
|
Subject: llc: fix info leak via getsockname()
|
|
|
|
[ Upstream commit 3592aaeb80290bda0f2cf0b5456c97bfc638b192 ]
|
|
|
|
The LLC code wrongly returns 0, i.e. "success", when the socket is
|
|
zapped. Together with the uninitialized uaddrlen pointer argument from
|
|
sys_getsockname this leads to an arbitrary memory leak of up to 128
|
|
bytes kernel stack via the getsockname() syscall.
|
|
|
|
Return an error instead when the socket is zapped to prevent the info
|
|
leak. Also remove the unnecessary memset(0). We don't directly write to
|
|
the memory pointed by uaddr but memcpy() a local structure at the end of
|
|
the function that is properly initialized.
|
|
|
|
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
|
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
net/llc/af_llc.c | 3 +--
|
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
|
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
|
|
index a18e6c3..99a60d5 100644
|
|
--- a/net/llc/af_llc.c
|
|
+++ b/net/llc/af_llc.c
|
|
@@ -966,14 +966,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
|
|
struct sockaddr_llc sllc;
|
|
struct sock *sk = sock->sk;
|
|
struct llc_sock *llc = llc_sk(sk);
|
|
- int rc = 0;
|
|
+ int rc = -EBADF;
|
|
|
|
memset(&sllc, 0, sizeof(sllc));
|
|
lock_sock(sk);
|
|
if (sock_flag(sk, SOCK_ZAPPED))
|
|
goto out;
|
|
*uaddrlen = sizeof(sllc);
|
|
- memset(uaddr, 0, *uaddrlen);
|
|
if (peer) {
|
|
rc = -ENOTCONN;
|
|
if (sk->sk_state != TCP_ESTABLISHED)
|