diff options
author | Hannes Frederic Sowa <hannes@stressinduktion.org> | 2013-11-18 04:20:45 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-11-18 15:12:03 -0500 |
commit | bceaa90240b6019ed73b49965eac7d167610be69 (patch) | |
tree | f68c10948efff147a7b987369f1e720ad76f411b /net/phonet | |
parent | bcd081a3aef1f7f3786067ae8dd26aaa1cf85153 (diff) | |
download | linux-stable-bceaa90240b6019ed73b49965eac7d167610be69.tar.gz linux-stable-bceaa90240b6019ed73b49965eac7d167610be69.tar.bz2 linux-stable-bceaa90240b6019ed73b49965eac7d167610be69.zip |
inet: prevent leakage of uninitialized memory to user in recv syscalls
Only update *addr_len when we actually fill in sockaddr, otherwise we
can return uninitialized memory from the stack to the caller in the
recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
checks because we only get called with a valid addr_len pointer either
from sock_common_recvmsg or inet_recvmsg.
If a blocking read waits on a socket which is concurrently shut down we
now return zero and set msg_msgnamelen to 0.
Reported-by: mpb <mpb.mail@gmail.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/phonet')
-rw-r--r-- | net/phonet/datagram.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c index 12c30f3e643e..38946b26e471 100644 --- a/net/phonet/datagram.c +++ b/net/phonet/datagram.c @@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, MSG_CMSG_COMPAT)) goto out_nofree; - if (addr_len) - *addr_len = sizeof(sa); - skb = skb_recv_datagram(sk, flags, noblock, &rval); if (skb == NULL) goto out_nofree; @@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, rval = (flags & MSG_TRUNC) ? skb->len : copylen; - if (msg->msg_name != NULL) - memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn)); + if (msg->msg_name != NULL) { + memcpy(msg->msg_name, &sa, sizeof(sa)); + *addr_len = sizeof(sa); + } out: skb_free_datagram(sk, skb); |