linux/net
Mathias Krause d26d6504f2 NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()
The code in llcp_sock_recvmsg() does not initialize all the members of
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
initialize the padding bytes of the structure inserted by the compiler
for alignment.

Also, if the socket is in state LLCP_CLOSED or is shutting down during
receive the msg_namelen member is not updated to 0 while otherwise
returning with 0, i.e. "success". The msg_namelen update is also
missing for stream and seqpacket sockets which don't fill the sockaddr
info.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix the first issue by initializing the memory used for sockaddr info
with memset(0). Fix the second one by setting msg_namelen to 0 early.
It will be updated later if we're going to fill the msg_name member.

Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-07 16:28:02 -04:00
..
9p Revert parts of "hlist: drop the node parameter from iterators" 2013-03-08 15:05:34 -08:00
802 mrp: make mrp_rcv static 2013-02-11 14:16:26 -05:00
8021q 8021q: fix a potential use-after-free 2013-03-24 17:27:28 -04:00
appletalk hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
atm atm: update msg_namelen in vcc_recvmsg() 2013-04-07 16:28:00 -04:00
ax25 ax25: fix info leak via msg_name in ax25_recvmsg() 2013-04-07 16:28:00 -04:00
batman-adv batman-adv: verify tt len does not exceed packet len 2013-03-11 22:59:47 +01:00
bluetooth Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg() 2013-04-07 16:28:01 -04:00
bridge bridge: fix crash when set mac address of br interface 2013-03-24 17:27:28 -04:00
caif caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg() 2013-04-07 16:28:01 -04:00
can hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2013-03-12 09:22:42 -07:00
core netfilter: don't reset nf_trace in nf_reset() 2013-04-05 15:38:10 -04:00
dcb dcbnl: fix various netlink info leaks 2013-03-10 05:19:26 -04:00
dccp Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
decnet hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
dns_resolver Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-12-16 15:40:50 -08:00
dsa dsa: make dsa_switch_setup check for valid port names 2013-01-21 15:40:12 -05:00
ethernet net: split eth_mac_addr for better error handling 2013-01-21 14:07:44 -05:00
ieee802154 6lowpan: Fix endianness issue in is_addr_link_local(). 2013-03-10 16:49:35 -04:00
ipv4 net: ipv4: notify when address lifetime changes 2013-04-05 00:51:12 -04:00
ipv6 ipv6/tcp: Stop processing ICMPv6 redirect messages 2013-04-07 12:36:08 -04:00
ipx hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
irda irda: Fix missing msg_namelen update in irda_recvmsg_dgram() 2013-04-07 16:28:01 -04:00
iucv iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() 2013-04-07 16:28:01 -04:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2013-03-27 14:07:04 -04:00
l2tp l2tp: fix info leak in l2tp_ip6_recvmsg() 2013-04-07 16:28:01 -04:00
lapb net/lapb: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:40:01 -08:00
llc llc: Fix missing msg_namelen update in llc_ui_recvmsg() 2013-04-07 16:28:01 -04:00
mac80211 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2013-04-01 15:09:28 -04:00
mac802154 Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
netfilter netfilter: nf_conntrack: fix error return code 2013-03-27 18:31:17 +01:00
netlabel netlabel: fix build problems when CONFIG_IPV6=n 2013-03-08 11:33:51 -05:00
netlink genetlink: trigger BUG_ON if a group name is too long 2013-03-20 12:05:51 -04:00
netrom netrom: fix info leak via msg_name in nr_recvmsg() 2013-04-07 16:28:02 -04:00
nfc NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() 2013-04-07 16:28:02 -04:00
openvswitch Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch 2013-03-15 09:00:39 -04:00
packet hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
phonet hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
rds net/rds: zero last byte for strncpy 2013-03-08 00:35:44 -05:00
rfkill rfkill: don't use [delayed_]work_pending() 2012-12-28 13:40:16 -08:00
rose hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
rxrpc Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
sched cbq: incorrect processing of high limits 2013-04-02 14:29:20 -04:00
sctp sctp: don't break the loop while meeting the active_path so as to find the matched transport 2013-03-13 10:09:55 -04:00
sunrpc NFS client bugfixes for Linux 3.9 2013-03-26 14:23:45 -07:00
tipc hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
unix af_unix: If we don't care about credentials coallesce all messages 2013-04-05 00:49:13 -04:00
vmw_vsock VSOCK: Handle changes to the VMCI context ID. 2013-04-02 14:39:17 -04:00
wimax
wireless Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2013-03-25 14:50:17 -04:00
x25 hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2013-03-27 14:07:04 -04:00
compat.c
Kconfig Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
Makefile VSOCK: Introduce VM Sockets 2013-02-10 19:41:08 -05:00
nonet.c
socket.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
sysctl_net.c user_ns: get rid of duplicate code in net_ctl_permissions 2012-11-18 20:32:45 -05:00