CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335)

kernel.spec

@@ -625,6 +625,9 @@ Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
 #CVE-2016-4951 rhbz 1338625 1338626
 Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
 
+#CVE-2016-5243 rhbz 1343338 1343335
+Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2150,6 +2153,9 @@ fi
 #
 # 
 %changelog
+* Tue Jun 07 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-5243 info leak in tipc (rhbz 1343338 1343335)
+
 * Wed Jun 01 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - Linux v4.6.1
 

tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch

@@ -0,0 +1,32 @@
+From 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Thu, 2 Jun 2016 04:04:56 -0400
+Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump
+
+link_info.str is a char array of size 60. Memory after the NULL
+byte is not initialized. Sending the whole object out can cause
+a leak.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/tipc/netlink_compat.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index f795b1d..3ad9fab 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -604,7 +604,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
+ 
+ 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
+ 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
+-	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
++	nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]),
++		    TIPC_MAX_LINK_NAME);
+ 
+ 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
+ 			    &link_info, sizeof(link_info));
+-- 
+cgit v0.12
+