summaryrefslogtreecommitdiff
path: root/net/llc
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2012-08-15 11:31:53 +0000
committerBen Hutchings <ben@decadent.org.uk>2012-09-19 15:04:53 +0100
commit3f497daadeeb2b84dc8e97b32416d98b34485b99 (patch)
tree7bf0d70b2450978d06f878e7ea0735920f2ff7f6 /net/llc
parent79690021eba0738861965187af2f75035f846d6f (diff)
downloadlwn-3f497daadeeb2b84dc8e97b32416d98b34485b99.tar.gz
lwn-3f497daadeeb2b84dc8e97b32416d98b34485b99.zip
llc: fix info leak via getsockname()
[ Upstream commit 3592aaeb80290bda0f2cf0b5456c97bfc638b192 ] The LLC code wrongly returns 0, i.e. "success", when the socket is zapped. Together with the uninitialized uaddrlen pointer argument from sys_getsockname this leads to an arbitrary memory leak of up to 128 bytes kernel stack via the getsockname() syscall. Return an error instead when the socket is zapped to prevent the info leak. Also remove the unnecessary memset(0). We don't directly write to the memory pointed by uaddr but memcpy() a local structure at the end of the function that is properly initialized. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net/llc')
-rw-r--r--net/llc/af_llc.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index a18e6c3d36e3..99a60d545b24 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -966,14 +966,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
struct sockaddr_llc sllc;
struct sock *sk = sock->sk;
struct llc_sock *llc = llc_sk(sk);
- int rc = 0;
+ int rc = -EBADF;
memset(&sllc, 0, sizeof(sllc));
lock_sock(sk);
if (sock_flag(sk, SOCK_ZAPPED))
goto out;
*uaddrlen = sizeof(sllc);
- memset(uaddr, 0, *uaddrlen);
if (peer) {
rc = -ENOTCONN;
if (sk->sk_state != TCP_ESTABLISHED)