Skip to content

Commit

Permalink
net: fix a kernel infoleak in x25 module
Browse files Browse the repository at this point in the history
Stack object "dte_facilities" is allocated in x25_rx_call_request(),
which is supposed to be initialized in x25_negotiate_facilities.
However, 5 fields (8 bytes in total) are not initialized. This
object is then copied to userland via copy_to_user, thus infoleak
occurs.

Signed-off-by: Kangjie Lu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
kengiter authored and davem330 committed May 10, 2016
1 parent 7fa816b commit 79e4865
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/x25/x25_facilities.c
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,

memset(&theirs, 0, sizeof(theirs));
memcpy(new, ours, sizeof(*new));
memset(dte, 0, sizeof(*dte));

len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
if (len < 0)
Expand Down

0 comments on commit 79e4865

Please sign in to comment.