Skip to content

Commit

Permalink
netrom: fix info leak via msg_name in nr_recvmsg()
Browse files Browse the repository at this point in the history
In case msg_name is set the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of
struct sockaddr_ax25 inserted by the compiler for alignment. Also
the sax25_ndigis member does not get assigned, leaking four more
bytes.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix both issues by initializing the memory with memset(0).

Cc: Ralf Baechle <[email protected]>
Signed-off-by: Mathias Krause <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
minipli authored and davem330 committed Apr 7, 2013
1 parent c77a4b9 commit 3ce5efa
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/netrom/af_netrom.c
Original file line number Diff line number Diff line change
Expand Up @@ -1173,6 +1173,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
}

if (sax != NULL) {
memset(sax, 0, sizeof(sax));
sax->sax25_family = AF_NETROM;
skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
AX25_ADDR_LEN);
Expand Down

0 comments on commit 3ce5efa

Please sign in to comment.