CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)
This commit is contained in:
parent
c416a99578
commit
aba5c507e3
|
@ -829,6 +829,9 @@ Patch25022: netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
|
|||
#CVE-2013-3231 956094 956104
|
||||
Patch25023: llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
|
||||
|
||||
#CVE-2013-3230 956088 956089
|
||||
Patch25024: l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1608,6 +1611,9 @@ ApplyPatch netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
|
|||
#CVE-2013-3231 956094 956104
|
||||
ApplyPatch llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
|
||||
|
||||
#CVE-2013-3230 956088 956089
|
||||
ApplyPatch l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2466,6 +2472,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Wed Apr 24 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)
|
||||
- CVE-2013-3231 llc: Fix missing msg_namelen update in llc_ui_recvmsg (rhbz 956094 956104)
|
||||
- CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
|
||||
- CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
From b860d3cc62877fad02863e2a08efff69a19382d2 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:55 +0000
|
||||
Subject: [PATCH] l2tp: fix info leak in l2tp_ip6_recvmsg()
|
||||
|
||||
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
|
||||
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
|
||||
in l2tp_ip6_recvmsg() in case msg_name is set.
|
||||
|
||||
Initialize l2tp_conn_id with 0 to avoid the info leak.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/l2tp/l2tp_ip6.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
|
||||
index c74f5a9..b8a6039 100644
|
||||
--- a/net/l2tp/l2tp_ip6.c
|
||||
+++ b/net/l2tp/l2tp_ip6.c
|
||||
@@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
|
||||
lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
|
||||
lsa->l2tp_flowinfo = 0;
|
||||
lsa->l2tp_scope_id = 0;
|
||||
+ lsa->l2tp_conn_id = 0;
|
||||
if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
|
||||
lsa->l2tp_scope_id = IP6CB(skb)->iif;
|
||||
}
|
||||
--
|
||||
1.8.1.4
|
||||
|
Loading…
Reference in New Issue