CVE-2013-3228 irda: missing msg_namelen update in irda_recvmsg_dgram (rhbz 956069 956071)
This commit is contained in:
Josh Boyer
parent
b0d734f6c4
commit
b92e84a3a8
|
|
@ -0,0 +1,37 @@
|
|||
From 5ae94c0d2f0bed41d6718be743985d61b7f5c47d Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sun, 7 Apr 2013 01:51:53 +0000
|
||||
Subject: [PATCH] irda: Fix missing msg_namelen update in irda_recvmsg_dgram()
|
||||
|
||||
The current code does not fill the msg_name member in case it is set.
|
||||
It also does not set the msg_namelen member to 0 and therefore makes
|
||||
net/socket.c leak the local, uninitialized sockaddr_storage variable
|
||||
to userland -- 128 bytes of kernel stack memory.
|
||||
|
||||
Fix that by simply setting msg_namelen to 0 as obviously nobody cared
|
||||
about irda_recvmsg_dgram() not filling the msg_name in case it was
|
||||
set.
|
||||
|
||||
Cc: Samuel Ortiz <samuel@sortiz.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/irda/af_irda.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
|
||||
index d28e7f0..e493b33 100644
|
||||
--- a/net/irda/af_irda.c
|
||||
+++ b/net/irda/af_irda.c
|
||||
@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
|
||||
|
||||
IRDA_DEBUG(4, "%s()\n", __func__);
|
||||
|
||||
+ msg->msg_namelen = 0;
|
||||
+
|
||||
skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
|
||||
flags & MSG_DONTWAIT, &err);
|
||||
if (!skb)
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
|
|
@ -816,6 +816,9 @@ Patch25023: llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
|
|||
#CVE-2013-3230 956088 956089
|
||||
Patch25024: l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
|
||||
|
||||
#CVE-2013-3228 956069 956071
|
||||
Patch25025: irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1590,6 +1593,9 @@ ApplyPatch llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
|
|||
#CVE-2013-3230 956088 956089
|
||||
ApplyPatch l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
|
||||
|
||||
#CVE-2013-3228 956069 956071
|
||||
ApplyPatch irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2447,6 +2453,7 @@ fi
|
|||
# '-'
|
||||
%changelog
|
||||
* Wed Apr 24 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-3228 irda: missing msg_namelen update in irda_recvmsg_dgram (rhbz 956069 956071)
|
||||
- CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)
|
||||
- CVE-2013-3231 llc: Fix missing msg_namelen update in llc_ui_recvmsg (rhbz 956094 956104)
|
||||
- CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
|
||||
|
|
|
|||
Loading…
Reference in New Issue