summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-03-17 01:40:10 +0000
committerGreg Kroah-Hartman <gregkh@suse.de>2011-04-14 16:53:07 -0700
commitf4f0cb8d0e023a274834aed9430a520de10bacbf (patch)
tree75f465a7cee48336b2f041e49a1d07cea3619849
parentda3e9d571ec4189f51c207f01de429981e6c2675 (diff)
downloadlwn-f4f0cb8d0e023a274834aed9430a520de10bacbf.tar.gz
lwn-f4f0cb8d0e023a274834aed9430a520de10bacbf.zip
econet: 4 byte infoleak to the network
commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream. struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on x86_64. These bytes are not initialized in the variable 'ah' before sending 'ah' to the network. This leads to 4 bytes kernel stack infoleak. This bug was introduced before the git epoch. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Phil Blundell <philb@gnu.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/econet/af_econet.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index d23ee8a358f8..9ebd08b94f1f 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -434,10 +434,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
udpdest.sin_addr.s_addr = htonl(network | addr.station);
}
+ memset(&ah, 0, sizeof(ah));
ah.port = port;
ah.cb = cb & 0x7f;
ah.code = 2; /* magic */
- ah.pad = 0;
/* tack our header on the front of the iovec */
size = sizeof(struct aunhdr);