summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2012-09-19 11:33:38 +0000
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-10-13 05:38:40 +0900
commit37d61a27a59671d88279dcc4d331f950d4901d4d (patch)
treecd9a28ee5484e21e322634d00391658ec8e05259
parenta91af73f445cacfb0db4df3eb2e3d0ddeff43893 (diff)
downloadlwn-37d61a27a59671d88279dcc4d331f950d4901d4d.tar.gz
lwn-37d61a27a59671d88279dcc4d331f950d4901d4d.zip
xfrm_user: fix info leak in copy_to_user_auth()
[ Upstream commit 4c87308bdea31a7b4828a51f6156e6f721a1fcc9 ] copy_to_user_auth() fails to initialize the remainder of alg_name and therefore discloses up to 54 bytes of heap memory via netlink to userland. Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name with null bytes. Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/xfrm/xfrm_user.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 4cae47d8dc41..f5936d84655c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -742,7 +742,7 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
return -EMSGSIZE;
algo = nla_data(nla);
- strcpy(algo->alg_name, auth->alg_name);
+ strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
memcpy(algo->alg_key, auth->alg_key, (auth->alg_key_len + 7) / 8);
algo->alg_key_len = auth->alg_key_len;