Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756694AbaBEVNg (ORCPT ); Wed, 5 Feb 2014 16:13:36 -0500 Received: from mail.windriver.com ([147.11.1.11]:54250 "EHLO mail.windriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753874AbaBEUDu (ORCPT ); Wed, 5 Feb 2014 15:03:50 -0500 From: Paul Gortmaker To: , CC: Mathias Krause , Arnaldo Carvalho de Melo , "David S. Miller" , Paul Gortmaker Subject: [v2.6.34-stable 025/213] llc: Fix missing msg_namelen update in llc_ui_recvmsg() Date: Wed, 5 Feb 2014 14:59:40 -0500 Message-ID: <1391630568-49251-26-git-send-email-paul.gortmaker@windriver.com> X-Mailer: git-send-email 1.8.5.2 In-Reply-To: <1391630568-49251-1-git-send-email-paul.gortmaker@windriver.com> References: <1391630568-49251-1-git-send-email-paul.gortmaker@windriver.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mathias Krause ------------------- This is a commit scheduled for the next v2.6.34 longterm release. http://git.kernel.org/?p=linux/kernel/git/paulg/longterm-queue-2.6.34.git If you see a problem with using this for longterm, please comment. ------------------- commit c77a4b9cffb6215a15196ec499490d116dfad181 upstream. For stream sockets the code misses to update the msg_namelen member to 0 and therefore makes net/socket.c leak the local, uninitialized sockaddr_storage variable to userland -- 128 bytes of kernel stack memory. The msg_namelen update is also missing for datagram sockets in case the socket is shutting down during receive. Fix both issues by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Arnaldo Carvalho de Melo Signed-off-by: Mathias Krause Signed-off-by: David S. Miller Signed-off-by: Paul Gortmaker --- net/llc/af_llc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c index 06010e1e89f9..121c92e3c128 100644 --- a/net/llc/af_llc.c +++ b/net/llc/af_llc.c @@ -719,6 +719,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, int target; /* Read at least this many bytes */ long timeo; + msg->msg_namelen = 0; + lock_sock(sk); copied = -ENOTCONN; if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) -- 1.8.5.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/