33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From: Mathias Krause <minipli@googlemail.com>
|
|
Date: Wed, 15 Aug 2012 11:31:55 +0000
|
|
Subject: dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)
|
|
|
|
[ Upstream commit 7b07f8eb75aa3097cdfd4f6eac3da49db787381d ]
|
|
|
|
The CCID3 code fails to initialize the trailing padding bytes of struct
|
|
tfrc_tx_info added for alignment on 64 bit architectures. It that for
|
|
potentially leaks four bytes kernel stack via the getsockopt() syscall.
|
|
Add an explicit memset(0) before filling the structure to avoid the
|
|
info leak.
|
|
|
|
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
|
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
net/dccp/ccids/ccid3.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
|
|
index 3d604e1..4caf63f 100644
|
|
--- a/net/dccp/ccids/ccid3.c
|
|
+++ b/net/dccp/ccids/ccid3.c
|
|
@@ -532,6 +532,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
|
|
case DCCP_SOCKOPT_CCID_TX_INFO:
|
|
if (len < sizeof(tfrc))
|
|
return -EINVAL;
|
|
+ memset(&tfrc, 0, sizeof(tfrc));
|
|
tfrc.tfrctx_x = hc->tx_x;
|
|
tfrc.tfrctx_x_recv = hc->tx_x_recv;
|
|
tfrc.tfrctx_x_calc = hc->tx_x_calc;
|