Eric Lee / smarc-ti-linux-kernel

5
Download as
Browse Code ยป

Commit a5f6fc28d6e6cc379c6839f21820e62262419584

Authored by Mathias Krause
Committed by David S. Miller
1 parent ee7255ada3
Exists in ti-lsk-linux-4.1.y and in 10 other branches dlt-processor-sdk-linux-03.00.00.04, processor-sdk-linux-02.00.01, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04

pptp: fix stack info leak in pptp_getname() 

pptp_getname() only partially initializes the stack variable sa,
particularly only fills the pptp part of the sa_addr union. The code
thereby discloses 16 bytes of kernel stack memory via getsockname().

Fix this by memset(0)'ing the union before.

Cc: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 1 changed file with 3 additions and 1 deletions Side-by-side Diff

drivers/net/ppp/pptp.c
Diff comments   View file @ a5f6fc2
... ... @@ -506,7 +506,9 @@
506 506 int len = sizeof(struct sockaddr_pppox);
507 507 struct sockaddr_pppox sp;
508 508  
509   - sp.sa_family = AF_PPPOX;
  509 + memset(&sp.sa_addr, 0, sizeof(sp.sa_addr));
  510 +
  511 + sp.sa_family = AF_PPPOX;
510 512 sp.sa_protocol = PX_PROTO_PPTP;
511 513 sp.sa_addr.pptp = pppox_sk(sock->sk)->proto.pptp.src_addr;
512 514