diff options
author | Mathias Krause <minipli@googlemail.com> | 2012-09-19 11:33:38 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-10-13 05:38:40 +0900 |
commit | 37d61a27a59671d88279dcc4d331f950d4901d4d (patch) | |
tree | cd9a28ee5484e21e322634d00391658ec8e05259 | |
parent | a91af73f445cacfb0db4df3eb2e3d0ddeff43893 (diff) | |
download | lwn-37d61a27a59671d88279dcc4d331f950d4901d4d.tar.gz lwn-37d61a27a59671d88279dcc4d331f950d4901d4d.zip |
xfrm_user: fix info leak in copy_to_user_auth()
[ Upstream commit 4c87308bdea31a7b4828a51f6156e6f721a1fcc9 ]
copy_to_user_auth() fails to initialize the remainder of alg_name and
therefore discloses up to 54 bytes of heap memory via netlink to
userland.
Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name
with null bytes.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | net/xfrm/xfrm_user.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 4cae47d8dc41..f5936d84655c 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -742,7 +742,7 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb) return -EMSGSIZE; algo = nla_data(nla); - strcpy(algo->alg_name, auth->alg_name); + strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name)); memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8); algo->alg_key_len = auth->alg_key_len; |